I deleted the tweets and Gist just out of respect for the Chromium people's decision to restrict the issue.
I personally do not see the point of considering this specific issue particularly severe because the Chrome Web Store already allows extensions to execute remote code in extension context simply by declaring `unsafe-eval` or `unsafe-inline` (or specific remote hosts) -- and one can find such extensions quite easily.[1]
If the Chrome Web Store had a policy of "no remote code execution in extension context under any circumstance", then the issue would definitely have been high severity.
If this is as severe as I think it is, you may seriously want to consider taking down this link. Google and @gorhill have likely made things private for a reason.
Why? The model is wrong. There are always going to be severe bugs in deliberately complicated software. Hiding them behind terms that pretend the issue is about responsible disclosure is much more harmful in the long run because the real problem does not get fixed. Instead, due to a dependence on bad software, the problem can be used to attack speech.
I personally do not see the point of considering this specific issue particularly severe because the Chrome Web Store already allows extensions to execute remote code in extension context simply by declaring `unsafe-eval` or `unsafe-inline` (or specific remote hosts) -- and one can find such extensions quite easily.[1]
If the Chrome Web Store had a policy of "no remote code execution in extension context under any circumstance", then the issue would definitely have been high severity.
* * *
[1] https://twitter.com/gorhill/status/1139306139072507906