Hacker News new | ask | show | jobs
by fuzzy2 3528 days ago
> By definition, browser extensions need to be able to access things such as page content.

On Firefox/XUL maybe. Web Extensions (like in Chrome) work much like Android apps: You need to acknowledge their desired permissions up front. They can’t request more later.

Of course you may need these permissions to create your extension.
2 comments
y0ghur7_xxx 3528 days ago
The vulnerability described by op applies to chrome just the same. Once the addon has `pageCapture` permission, an angular 1 exploit would work just the same.
link
emn13 3528 days ago
Many extensions have full access to all webpages, also in chrome; there's no sandbox or anything similar safely separating extension from page. That's not a bug or missing feature: it's by design! Many extensions fiddle with all kinds of page aspects as part of their core functionality.

An adblocker that can't inspect the page dom would likely not work very well.

link