访问浏览器扩展存储是否有任何限制?
Are there any restrictions on access to browser extensions storage?
我正在尝试了解使用浏览器扩展程序的安全隐患 storage。当我阅读 WebExtensions storage documentation.
时,有几件事我不清楚
文档中说:
Values are scoped to the extension, not to a specific domain (i.e. the same set of key/value pairs are available to all scripts in the background context and content scripts).
还有:
Each extension has its own storage area, which can be split into different types of storage.
还有:
The storage area is not encrypted and shouldn't be used for storing confidential user information.
综合以上我还有几个问题:
- 分机E是否可以访问分机A存储的数据?
- 是否可以让任意网页访问扩展程序A存储的数据?
- 扩展程序A所在的网页是否可以运行访问该扩展程序存储的数据?
我阅读了一些关于 localStorage (in)security 的内容,但我不确定这些规则是否以及如何适用于
在此先感谢您的帮助!
注意: storage.local(例如,browser.storage.local.get('item') 或 chrome.storage.local.get('item')) 是 WebExtension API 并且限于扩展名。不应与 Window.localStorage(例如 localStorage.getItem('item'))混淆,后者是 Web API,不安全且无法访问。
如果storage.local:
Is it possible for extension E to access data stored by extension A?
没有。每个分机都有自己的 storage.local 区域,其他分机无法访问。
Is it possible for an arbitrary webpage to access data stored by
extension A?
没有。如上访问仅限于分机。
Is it possible for a webpage on which extension A is run to access
data stored by this extension?
没有。如上
我正在尝试了解使用浏览器扩展程序的安全隐患 storage。当我阅读 WebExtensions storage documentation.
文档中说:
Values are scoped to the extension, not to a specific domain (i.e. the same set of key/value pairs are available to all scripts in the background context and content scripts).
还有:
Each extension has its own storage area, which can be split into different types of storage.
还有:
The storage area is not encrypted and shouldn't be used for storing confidential user information.
综合以上我还有几个问题:
- 分机E是否可以访问分机A存储的数据?
- 是否可以让任意网页访问扩展程序A存储的数据?
- 扩展程序A所在的网页是否可以运行访问该扩展程序存储的数据?
我阅读了一些关于 localStorage (in)security 的内容,但我不确定这些规则是否以及如何适用于
在此先感谢您的帮助!
注意: storage.local(例如,browser.storage.local.get('item') 或 chrome.storage.local.get('item')) 是 WebExtension API 并且限于扩展名。不应与 Window.localStorage(例如 localStorage.getItem('item'))混淆,后者是 Web API,不安全且无法访问。
如果storage.local:
Is it possible for extension E to access data stored by extension A?
没有。每个分机都有自己的 storage.local 区域,其他分机无法访问。
Is it possible for an arbitrary webpage to access data stored by extension A?
没有。如上访问仅限于分机。
Is it possible for a webpage on which extension A is run to access data stored by this extension?
没有。如上