Can chrome extensions make cross-origin requests by injecting a javascript into the main page? If so, isn't it a security vulnerability?
Asked
Active
Viewed 3,831 times
5
-
http://stackoverflow.com/questions/9421933/cross-origin-xmlhttprequest-in-chrome-extensions has some relevant information – Limit Dec 19 '16 at 21:41
1 Answers
3
Actually, they don't even have to inject JavaScript into the main page. Extensions can require permissions to make Cross-Origin requests to certain websites, see https://developer.chrome.com/extensions/xhr. They can even use the <all_urls> permission to get Cross-Origin access for all websites. This is not a security vulnerability, as you have to manually install an extension and grant the permissions on installation, making you responsible for anything that happens.
JacobTDC
- 131
- 3