[adambrenecki]

> Avoiding it is fairly easy, by isolating all of the extension’s user interface in an <iframe> element.

Right, but if the social network website can modify the HTML that the Keybase extension is injecting, then surely it can also modify the iframe's URL to an attacker-controlled one? Or, for that matter, replace the event handler on the "Keybase Chat" button itself before it even gets clicked?

I'm not an extension developer, so there might be APIs available to extensions or restrictions on webpage JS that I'm not aware of, but I suspect the only secure way to do this (if you don't trust the page you're embedding in) might be to have the extension communicate with the native Keybase app, which then opens a chat window with the appropriate user, similar to how the 1Password browser extension works.

[icebraining]

Right, but if the social network website can modify the HTML that the Keybase extension is injecting, then surely it can also modify the iframe's URL to an attacker-controlled one?

Keybase could minimize that by showing the user's name and/or logo in the iframe. Barring another vulnerability, the site shouldn't know who is logged in into the extension, so they shouldn't be able to fake that.

[palant]

Yes, I didn't bother expanding this further. Spoofing Keybase UI would still be possible, but users would notice that their message doesn't get sent. Still, the only complete solution would be to delegate even the initial message to the app rather than asking uses to enter it on the webpage. Unfortunately, browsers don't let extensions open trusted UI at will...

[orf]

Sure they do, you just get a prompt saying 'you sure you want to open keybase?', with the option to skip this prompt in the future

[palant]

By "trusted UI" I meant user interface within the browser that clearly doesn't belong to the webpage - such as the browser action's pop-up. As I said, an extension like Keybase could delegate this action to their app. Other extensions don't have this option because they don't have a native component. This is the reason why so many have implemented questionable or outright insecure solutions.

[AlphaWeaver]

As an extension developer, I'm tempted to say that your suggestion might be the only secure way to do it. Extension Javascript is isolated, but all extensions share the DOM of course.