[z3ratul163071]

why would the browser ever expose extensions api to a web page. does firefox does this as well?

[ceejayoz]

The "The Attack: How it works" section explains how it works. It's not an API.

I am a little surprised something like CORS doesn't apply to it, though.

[acorn221]

So these extensions allow linkedin to do this though, it's literally them saying "yes, this site can ping this resource" - called "web_accessible_resources".

This is fair from Linkedin IMO as I've seen loads of different extensions actually scraping the linkedin session tokens or content on linkedin.

[entropyneur]

It's not the extension developer who should decide this, but the browser user.

[Hackbraten]

On what would the browser user base their decision?

If an extension injects an icon into the DOM of the page, then the resulting `img` tag needs to put something in its `src`.

The extension author may choose to use the `data:` scheme, but that's a development-time decision.

[Panda4]

> Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions.

It's not clear though, either they only tested against chrome-based browsers or Firefox isn't enabling them to do so.

edit: I answered before I go fully through the article but it does say it's only Chrome based.

> The extension scan runs only in Chrome-based browsers. The isUserAgentChrome() function checks for “Chrome” in the user agent string. The isBrowser() function excludes server-side rendering environments. If either check fails, the scan does not execute.

> This means every user visiting LinkedIn with Chrome, Edge, Brave, Opera, Arc, or any other Chromium-based browser is subject to the scan.

[OoooooooO]

Firefox uses UUID for the local extension url per extension so you can't search for hardcoded local urls.

[dylan604]

What is a Chrome-based browser? Isn't Chrome Google's Chromium based browser? How many are based on Chrome?

[Panda4]

> This means every user visiting LinkedIn with Chrome, Edge, Brave, Opera, Arc, or any other Chromium-based browser is subject to the scan.

[andersonpico]

From "The Attack: How it works", its just checking the user agent string:

function a() { return "undefined" != typeof window && window && "node" !== window.appEnvironment; }

function s() { return window?.navigator?.userAgent?.indexOf("Chrome") > -1; }

if (!a() || !s()) return;

[thom]

I was under the impression Firefox randomises extension IDs on install, so hopefully not?

[Raed667]

they seem to be calling `chrome-extension://.....` so i don't think it applies to firefox

[hedora]

The answer to "why would Chrome ever undermine privacy and security?" is always "Google's revenue stream".

I'm happy to see that this doesn't hit firefox. I wonder if safari is impacted.