Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proposal: restrict content_scripts.all_frames to specific main_frame origins. #117

Open
carlosjeurissen opened this issue Oct 21, 2021 · 2 comments
Open

Proposal: restrict content_scripts.all_frames to specific main_frame origins. #117

carlosjeurissen opened this issue Oct 21, 2021 · 2 comments
Labels
enhancement Enhancement or change to an existing feature needs-triage proposal Proposal for a change or new feature topic: scripting

Comments

@carlosjeurissen
Copy link
Contributor

carlosjeurissen commented Oct 21, 2021
edited
Loading

To reduce the attack surface of content_scripts, I'm proposing to allow authors to restrict content_scripts.all_frames to specific main_frame origins or matches. Imagine it like this:

"content_scripts": [{
  "css": [ "/content-script.css" ],
  "js": [ "/content-script.js" ],
  "matches": [ "https://www.example.com/*" ],
  "all_frames": true,
  "main_frame_origins": [ "<extension_origin>", "www.example.com" ],
}]

This makes sure content-scripts are not changing anything in situations they are not meant to make changes.

Basically the goal here is to only inject content_scripts if and only if the parent frame matches what the author specified.
@xeenon
Copy link
Collaborator

xeenon commented Oct 25, 2021

I'm confused what that is hardening about content scripts. Is this about requiring the frame to be embedded in only one of the matching main_frame_origins?

@xeenon xeenon added the enhancement Enhancement or change to an existing feature label Oct 25, 2021
@carlosjeurissen
Copy link
Contributor Author

It's not about making frames embedded-able. Sometimes extensions only want to inject a content_script in a specific sub_frame and not in the main_frame. There are specific websites (any website by default) which can be embedded on another website in an iframe. Thus if an extension wants to inject a content_script in these sub_frames on specific websites, it might open up holes in other websites where this specific sub_frame can also be embedded.

@xeenon xeenon added the proposal Proposal for a change or new feature label Aug 31, 2022
@carlosjeurissen carlosjeurissen mentioned this issue Sep 30, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Enhancement or change to an existing feature needs-triage proposal Proposal for a change or new feature topic: scripting
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xeenon @carlosjeurissen