[arkadiyt]

Even without this issue all chrome extensions can execute code in their own context by explicitly setting a blob script-src rather than relying on the default, or by skipping the middle step and adding a domain they control to the script-src and directly linking a javascript file (why bother with blobs?), or even by pushing a new version which Chrome will automatically install for users. The title makes this issue sound severe but it's just a missing best practice.

[kevingadd]

I think "best practice" is a mistake in this context since it's an undocumented (?) change that has allowed malicious extensions to hide in plain sight - the default policy should not allow the naughty stuff they got up to, but it did because someone on the Chromium team weakened the security policy. Why audit for something that's impossible? (Obviously, thorough security screening WOULD audit for the impossible.)

This is worsened by the fact that the Play Store has near-zero security controls and no review so it's easy for malicious code to sneak into basically any high-install-count extension, especially if (as many extensions do) it requested lots of permissions it doesn't need.

[bscphil]

Maybe I'm misunderstanding the nature of the problem, but is there any way to fix the issue without breaking extensions like Greasemonkey?

[kevingadd]

Well, you can start by requiring the extensions to actually request all the permissions they use. Chrome does that now but has very coarse-grained permissions which makes it easier to hide malicious behavior, and in this case the permissions just weren't working so you could do something bad without the permission. The way extension permissions work in Chrome also means that extensions tend to request permissions they don't currently use, which means they can quietly pick up nasty behavior later on.

In the end an extension like Greasemonkey is implicitly unsafe because it's designed to run third-party content. You can't really fix that at an extension store/distribution platform level - so you put that dangerous footgun behind a permission and make sure users know what they're in for when installing it. I'm not sure what else you could really do since greasemonkey scripts rely on the ability to muck with page content.