|
|
|
|
|
|
by gorhill
2523 days ago
|
|
|
I deleted the tweets and Gist just out of respect for the Chromium people's decision to restrict the issue. I personally do not see the point of considering this specific issue particularly severe because the Chrome Web Store already allows extensions to execute remote code in extension context simply by declaring `unsafe-eval` or `unsafe-inline` (or specific remote hosts) -- and one can find such extensions quite easily.[1] If the Chrome Web Store had a policy of "no remote code execution in extension context under any circumstance", then the issue would definitely have been high severity. * * * [1] https://twitter.com/gorhill/status/1139306139072507906 |
|
|