[Goofy_Coyote]

It's not a security issue. This is an extension, it's weird and has some niche use-cases, but it is not a security issue as far as I can tell.

It's not like "include a script in a page, then execute arbitrary js on any tabs of anyone who visits that page".

That would've been a CVSS 10.

[pcthrowaway]

It kind of is, it injects the `tabgod` function into the window object of every tab. I could put something like this in the script for my blog:

    if (typeof window.tabgod === 'function') {
        tabgod(
            (tab) => tab.url === 'https://bankofamerica.com',
            () => { /* absolutely nothing good */ },
        }
    }

Keep in mind any network requests running from the script directly in the page will happily send your cookies, so this makes it trivial to gain unauthorized access to people's accounts. Any site you visit while running this extension can basically access your private data from every other site you happen to have a tab open for, and send requests impersonating you. It could also install a keyboard logger, etc.

[devidw]

yea your right, i have addressed this by moving the api from the window object to a dev tools panel page & options page of the extension so the website itself is no longer able to communicate to the service worker of the extension that is opening up the bridge to access all tabs

https://github.com/devidw/tabgod/issues/1#issuecomment-19336...

[bryanrasmussen]

Also if for example somebody has written a window opener function in their site's code and made the mistake of naming it tabgod there might also be problems.

But from reading the description it says in all devtools consoles - so I had assumed it was only in devtools context that the function was available?

[Goofy_Coyote]

Good point. Though this needs the target to have the extension installed.

I was thinking more along the lines of breaking out of process/site isolation or sandboxing - but yeah, you're making a good point.

[ambigious7777]

I know pretty much nothing about web extensions, but isn't it possible to add custom DevTools functions, like getEventListeners() or copy() in Chrome, without the page being accessed?