CursedChrome icon indicating copy to clipboard operation
CursedChrome copied to clipboard

Published 20 hours ago verified publisher icon mandatoryprogrammer

Permissions required?

Open Matir opened this issue 4 years ago • 2 comments

Is there a meaningful difference between <all_urls> and "https://*/*", "http://*/*" in how this extension uses things? It would seem to preclude file://, ftp://, and chrome-extension:// URLs, though I believe it can still access its own extension resources.

Matir avatar Nov 16 '20 20:11 Matir

It would still be able to access its own origin (e.g. chrome-extension://randomextid, all extensions can with zero permissions declared), and I'm not sure there is a meaningful distinction here. Not sure how ftp:// works, but file:// you have to explicitly toggle a setting in the extension's specific chrome://extensions setting page which seems unlikely to happen/be part of an attack.

For 99% of use cases, I'd imagine if an extension has https://*/* and http://*/* then it's basically functionally equivalent to <all_urls>. Same for if someone used *://*/* (also a valid host match pattern apparently).

Were you thinking the docs should be a bit more clear on this point?

mandatoryprogrammer avatar Nov 22 '20 20:11 mandatoryprogrammer

Yeah, it might not be bad. I thought (and in my own testing, it appears correct) that "https://*/*", "http://*/*" just works, but I was wondering if there was an edge case I was not considering.

Matir avatar Nov 23 '20 06:11 Matir