"web_accessible_resources" 的安全性
Security with "web_accessible_resources"
MDN docs 状态:
To enable a web page to contain an <img> element whose src attribute points to this image,
you could specify "web_accessible_resources" like this:
"web_accessible_resources": ["images/my-image.png"]
The file will then be available using a URL like:
moz-extension://<extension-UUID>/images/my-image.png"
<extension-UUID> is not your extension's ID.
It is randomly generated for every browser instance.
This prevents websites from fingerprinting a browser by examining
the extensions it has installed.
所以,我认为这些资源不能被扩展之外的任何网页读取,因为它们需要知道随机 UUID。
然而,同样的MDN docs也说明:
Note that if you make a page web-accessible, then any website may then link or redirect
to that page. The page should then treat any input (POST data, for examples)
as if it came from an untrusted source, just as a normal web page should.
我不明白"any website may then link or redirect to that page"。它不需要知道随机 UUID 吗?网页还能如何访问此资源?
Web 可访问资源的重点是能够将它们包含在 Web 上下文中。
虽然您可以将随机 UUID 传送到网页以便它可以使用该文件,但它不必包含在网站代码本身中。这是一个假设场景:
You're writing an extension that adds a button to evil.com site's UI. That button is supposed to have an image on it.
You bundle the image with your extension, but to add it as src or CSS property to the webpage you need to be able to reference it from a web context.
So, you make it web-accessible, and then inject your UI element with a content script.
完全合理的场景。
请注意,随机的第三方站点 villains-united.com 不能只抓取 URL 来了解您的扩展是否已安装,因为 URL 每个浏览器都是唯一的。这是 WebExtensions 的 UUID 优于 Chrome 的扩展 ID 模型的意图。
但是,让我们从安全角度继续我们的假设场景。
The operators of evil.com are unhappy with your extra UI. They add a script to their code that looks for added buttons.
That script can see the DOM properties of the button, including the address of the image. Now evil.com's code can see your UUID.
Being the good guy, your extension's source code is available somewhere, including the page that launches nuclear missiles if called (why you would have that and why it would be web-accessible is another matter, perhaps to provide the functionality to good-guys-last-resort.org).
evil.com's script now can reconstruct the URL of this trigger page and XHR it, plunging the planet into nuclear apocalypse. Oops. You probably should've checked the origin of that request.
基本上,如果页面中 使用 可访问的网络资源,UUID 可能会通过 DOM 泄漏到该页面的上下文。那可能不是您控制的页面。
MDN docs 状态:
To enable a web page to contain an <img> element whose src attribute points to this image,
you could specify "web_accessible_resources" like this:
"web_accessible_resources": ["images/my-image.png"]
The file will then be available using a URL like:
moz-extension://<extension-UUID>/images/my-image.png"
<extension-UUID> is not your extension's ID.
It is randomly generated for every browser instance.
This prevents websites from fingerprinting a browser by examining
the extensions it has installed.
所以,我认为这些资源不能被扩展之外的任何网页读取,因为它们需要知道随机 UUID。
然而,同样的MDN docs也说明:
Note that if you make a page web-accessible, then any website may then link or redirect
to that page. The page should then treat any input (POST data, for examples)
as if it came from an untrusted source, just as a normal web page should.
我不明白"any website may then link or redirect to that page"。它不需要知道随机 UUID 吗?网页还能如何访问此资源?
Web 可访问资源的重点是能够将它们包含在 Web 上下文中。
虽然您可以将随机 UUID 传送到网页以便它可以使用该文件,但它不必包含在网站代码本身中。这是一个假设场景:
You're writing an extension that adds a button to
evil.comsite's UI. That button is supposed to have an image on it.You bundle the image with your extension, but to add it as
srcor CSS property to the webpage you need to be able to reference it from a web context.So, you make it web-accessible, and then inject your UI element with a content script.
完全合理的场景。
请注意,随机的第三方站点 villains-united.com 不能只抓取 URL 来了解您的扩展是否已安装,因为 URL 每个浏览器都是唯一的。这是 WebExtensions 的 UUID 优于 Chrome 的扩展 ID 模型的意图。
但是,让我们从安全角度继续我们的假设场景。
The operators of
evil.comare unhappy with your extra UI. They add a script to their code that looks for added buttons.That script can see the DOM properties of the button, including the address of the image. Now
evil.com's code can see your UUID.Being the good guy, your extension's source code is available somewhere, including the page that launches nuclear missiles if called (why you would have that and why it would be web-accessible is another matter, perhaps to provide the functionality to
good-guys-last-resort.org).
evil.com's script now can reconstruct the URL of this trigger page and XHR it, plunging the planet into nuclear apocalypse. Oops. You probably should've checked the origin of that request.
基本上,如果页面中 使用 可访问的网络资源,UUID 可能会通过 DOM 泄漏到该页面的上下文。那可能不是您控制的页面。