Are there any restrictions on access to browser extensions storage?
up vote
0
down vote
favorite
I'm trying to understand security implications of using browser extensions storage
. A few things are not clear to me when I read the WebExtensions storage documentation.
Documentation says among others that:
Values are scoped to the extension, not to a specific domain (i.e. the same set of key/value pairs are available to all scripts in the background context and content scripts).
also:
Each extension has its own storage area, which can be split into different types of storage.
also:
The storage area is not encrypted and shouldn't be used for storing confidential user information.
Considering the above I still have a few questions here:
- Is it possible for extension E to access data stored by extension A?
- Is it possible for an arbitrary webpage to access data stored by extension A?
- Is it possible for a webpage on which extension A is run to access data stored by this extension?
I read a few bits about localStorage
(in)security but I'm not sure if and how those rules apply to
Thanks in advance for your help!
firefox-webextensions browser-extension webextension-storage
add a comment |
up vote
0
down vote
favorite
I'm trying to understand security implications of using browser extensions storage
. A few things are not clear to me when I read the WebExtensions storage documentation.
Documentation says among others that:
Values are scoped to the extension, not to a specific domain (i.e. the same set of key/value pairs are available to all scripts in the background context and content scripts).
also:
Each extension has its own storage area, which can be split into different types of storage.
also:
The storage area is not encrypted and shouldn't be used for storing confidential user information.
Considering the above I still have a few questions here:
- Is it possible for extension E to access data stored by extension A?
- Is it possible for an arbitrary webpage to access data stored by extension A?
- Is it possible for a webpage on which extension A is run to access data stored by this extension?
I read a few bits about localStorage
(in)security but I'm not sure if and how those rules apply to
Thanks in advance for your help!
firefox-webextensions browser-extension webextension-storage
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I'm trying to understand security implications of using browser extensions storage
. A few things are not clear to me when I read the WebExtensions storage documentation.
Documentation says among others that:
Values are scoped to the extension, not to a specific domain (i.e. the same set of key/value pairs are available to all scripts in the background context and content scripts).
also:
Each extension has its own storage area, which can be split into different types of storage.
also:
The storage area is not encrypted and shouldn't be used for storing confidential user information.
Considering the above I still have a few questions here:
- Is it possible for extension E to access data stored by extension A?
- Is it possible for an arbitrary webpage to access data stored by extension A?
- Is it possible for a webpage on which extension A is run to access data stored by this extension?
I read a few bits about localStorage
(in)security but I'm not sure if and how those rules apply to
Thanks in advance for your help!
firefox-webextensions browser-extension webextension-storage
I'm trying to understand security implications of using browser extensions storage
. A few things are not clear to me when I read the WebExtensions storage documentation.
Documentation says among others that:
Values are scoped to the extension, not to a specific domain (i.e. the same set of key/value pairs are available to all scripts in the background context and content scripts).
also:
Each extension has its own storage area, which can be split into different types of storage.
also:
The storage area is not encrypted and shouldn't be used for storing confidential user information.
Considering the above I still have a few questions here:
- Is it possible for extension E to access data stored by extension A?
- Is it possible for an arbitrary webpage to access data stored by extension A?
- Is it possible for a webpage on which extension A is run to access data stored by this extension?
I read a few bits about localStorage
(in)security but I'm not sure if and how those rules apply to
Thanks in advance for your help!
firefox-webextensions browser-extension webextension-storage
firefox-webextensions browser-extension webextension-storage
asked Nov 11 at 1:27
maciejchmielarz
687
687
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
1
down vote
accepted
Note: storage.local
(e,g. browser.storage.local.get('item')
or chrome.storage.local.get('item'))
is a WebExtension API and limited to the extension. It should not be confused with Window.localStorage
(e.g. localStorage.getItem('item')
) which is a Web API and not secure and accessible.
In case of storage.local
:
Is it possible for extension E to access data stored by extension A?
No. Each extension has its own storage.local
area and not accessible by other extensions.
Is it possible for an arbitrary webpage to access data stored by
extension A?
No. As above access is limited to the extension only.
Is it possible for a webpage on which extension A is run to access
data stored by this extension?
No. As above.
Thanks erosman for the answer and the clarifying note :) FTR I'm aware of the difference you mention and my problem was exactly thatlocalStorage
(Web API) security is extensively covered here and there but I had a really hard time to find similar details aboutstorage
(WebExtension API) security. Thanks for clarifying this for me.
– maciejchmielarz
Nov 11 at 20:21
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
accepted
Note: storage.local
(e,g. browser.storage.local.get('item')
or chrome.storage.local.get('item'))
is a WebExtension API and limited to the extension. It should not be confused with Window.localStorage
(e.g. localStorage.getItem('item')
) which is a Web API and not secure and accessible.
In case of storage.local
:
Is it possible for extension E to access data stored by extension A?
No. Each extension has its own storage.local
area and not accessible by other extensions.
Is it possible for an arbitrary webpage to access data stored by
extension A?
No. As above access is limited to the extension only.
Is it possible for a webpage on which extension A is run to access
data stored by this extension?
No. As above.
Thanks erosman for the answer and the clarifying note :) FTR I'm aware of the difference you mention and my problem was exactly thatlocalStorage
(Web API) security is extensively covered here and there but I had a really hard time to find similar details aboutstorage
(WebExtension API) security. Thanks for clarifying this for me.
– maciejchmielarz
Nov 11 at 20:21
add a comment |
up vote
1
down vote
accepted
Note: storage.local
(e,g. browser.storage.local.get('item')
or chrome.storage.local.get('item'))
is a WebExtension API and limited to the extension. It should not be confused with Window.localStorage
(e.g. localStorage.getItem('item')
) which is a Web API and not secure and accessible.
In case of storage.local
:
Is it possible for extension E to access data stored by extension A?
No. Each extension has its own storage.local
area and not accessible by other extensions.
Is it possible for an arbitrary webpage to access data stored by
extension A?
No. As above access is limited to the extension only.
Is it possible for a webpage on which extension A is run to access
data stored by this extension?
No. As above.
Thanks erosman for the answer and the clarifying note :) FTR I'm aware of the difference you mention and my problem was exactly thatlocalStorage
(Web API) security is extensively covered here and there but I had a really hard time to find similar details aboutstorage
(WebExtension API) security. Thanks for clarifying this for me.
– maciejchmielarz
Nov 11 at 20:21
add a comment |
up vote
1
down vote
accepted
up vote
1
down vote
accepted
Note: storage.local
(e,g. browser.storage.local.get('item')
or chrome.storage.local.get('item'))
is a WebExtension API and limited to the extension. It should not be confused with Window.localStorage
(e.g. localStorage.getItem('item')
) which is a Web API and not secure and accessible.
In case of storage.local
:
Is it possible for extension E to access data stored by extension A?
No. Each extension has its own storage.local
area and not accessible by other extensions.
Is it possible for an arbitrary webpage to access data stored by
extension A?
No. As above access is limited to the extension only.
Is it possible for a webpage on which extension A is run to access
data stored by this extension?
No. As above.
Note: storage.local
(e,g. browser.storage.local.get('item')
or chrome.storage.local.get('item'))
is a WebExtension API and limited to the extension. It should not be confused with Window.localStorage
(e.g. localStorage.getItem('item')
) which is a Web API and not secure and accessible.
In case of storage.local
:
Is it possible for extension E to access data stored by extension A?
No. Each extension has its own storage.local
area and not accessible by other extensions.
Is it possible for an arbitrary webpage to access data stored by
extension A?
No. As above access is limited to the extension only.
Is it possible for a webpage on which extension A is run to access
data stored by this extension?
No. As above.
answered Nov 11 at 4:52
erosman
2,09931430
2,09931430
Thanks erosman for the answer and the clarifying note :) FTR I'm aware of the difference you mention and my problem was exactly thatlocalStorage
(Web API) security is extensively covered here and there but I had a really hard time to find similar details aboutstorage
(WebExtension API) security. Thanks for clarifying this for me.
– maciejchmielarz
Nov 11 at 20:21
add a comment |
Thanks erosman for the answer and the clarifying note :) FTR I'm aware of the difference you mention and my problem was exactly thatlocalStorage
(Web API) security is extensively covered here and there but I had a really hard time to find similar details aboutstorage
(WebExtension API) security. Thanks for clarifying this for me.
– maciejchmielarz
Nov 11 at 20:21
Thanks erosman for the answer and the clarifying note :) FTR I'm aware of the difference you mention and my problem was exactly that
localStorage
(Web API) security is extensively covered here and there but I had a really hard time to find similar details about storage
(WebExtension API) security. Thanks for clarifying this for me.– maciejchmielarz
Nov 11 at 20:21
Thanks erosman for the answer and the clarifying note :) FTR I'm aware of the difference you mention and my problem was exactly that
localStorage
(Web API) security is extensively covered here and there but I had a really hard time to find similar details about storage
(WebExtension API) security. Thanks for clarifying this for me.– maciejchmielarz
Nov 11 at 20:21
add a comment |
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53245061%2fare-there-any-restrictions-on-access-to-browser-extensions-storage%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown