Some extensions like Google Inbox for Chrome will inject a single `iframe` that ... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

bfred_it on Feb 6, 2018 | parent | context | favorite | on: Grammarly shared its tokens with all websites

Some extensions like Google Inbox for Chrome will inject a single `iframe` that points to a `chrome-extension://` page, so while the page might notice the element, it can't access its content.

I think you could use the Shadow DOM in closed mode to prevent any information from leaking. [1]

[1]: https://blog.revillweb.com/open-vs-closed-shadow-dom-9f3d742...

kuschku on Feb 6, 2018 [–]

Pages sadly could still detect this content, and change their behaviour based on it.

Ideally you’d want to allow addons to modify pages in a way that pages can not detect or interfere with.

(e.g., some newspapers used to run JS to remove the AdBlock "block this" UI whenever you tried to remove an ad)

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact