[dkopi]

Good point, but that's assuming you're running in the context of the popup and not in the context of a content script. In the popup's script, you are using a new DOM. But in a content script - you're using the same DOM as the client, which can override createElement (and any other function as well).

[mook]

While content scripts (in the extension world, meaning scripts running in the context of a content page) shares the DOM with the untrusted page, it does not share the JavaScript wrapper layer around that DOM. This is extra confusing because the global object is a (JavaScript wrapper around a) DOM object.

The untrusted script can override its own view of createElement, but not the extension's view.

[dkopi]

Very interesting if true. I'm tempted to build an extension just to check that.

I wonder if a DOM mutation event would be triggered if a content script adds a new link element and changes it's href.

Would I be able to catch that and quickly change the href, before the content script continues to fecth the processed properties?

[gorhill]

> Very interesting if true.

It is true. See documentation => https://developer.chrome.com/extensions/content_scripts#exec... :

> Content scripts execute in a special environment called an isolated world. They have access to the DOM of the page they are injected into, but not to any JavaScript variables or functions created by the page. ... The same is true in reverse

[ufmace]

I don't know about this specific point, but you might want to take a look at the greasemonkey security pitfalls page [0]. There's been a lot of effort put into how all of these parts work together to make sure that malicious Javascript on the page can't interfere with what the plugin or userscript is trying to do.

[0] http://archive.oreilly.com/pub/a/network/2005/11/01/avoid-co...

[AgentME]

Chrome extensions' content scripts are under stronger isolation from the page than greasemonkey scripts are (or were? -- I'm not sure if greasemonkey has changed since). Chrome extensions run in a separate "isolated world" from the page. They never share javascript objects directly. (They do share the DOM, but the isolated world gets its own separate Javascript wrappers around the DOM.) It's not possible to leak a function from the extension to the page, etc.

[AgentME]

The page could only see a mutation event and get a reference to the element if the element was attached to the document. If the extension never attaches the anchor element to the document, then the page's code can't get to it.

[dkopi]

Great point! Didn't realize that. Thanks for an informative answer. Definitely learned something new. This is why I'm here.

[volker48]

Even if it is a content script its still not possible. https://developer.chrome.com/extensions/content_scripts#exec...

[ghurtado]

My understanding is that the content script can access the webpage DOM, but not the other way around (it's a "one way street", if you will)