Are there any restrictions on access to browser extensions storage?









up vote
0
down vote

favorite












I'm trying to understand security implications of using browser extensions storage. A few things are not clear to me when I read the WebExtensions storage documentation.



Documentation says among others that:




Values are scoped to the extension, not to a specific domain (i.e. the same set of key/value pairs are available to all scripts in the background context and content scripts).




also:




Each extension has its own storage area, which can be split into different types of storage.




also:




The storage area is not encrypted and shouldn't be used for storing confidential user information.




Considering the above I still have a few questions here:



  1. Is it possible for extension E to access data stored by extension A?

  2. Is it possible for an arbitrary webpage to access data stored by extension A?

  3. Is it possible for a webpage on which extension A is run to access data stored by this extension?

I read a few bits about localStorage (in)security but I'm not sure if and how those rules apply to



Thanks in advance for your help!










share|improve this question

























    up vote
    0
    down vote

    favorite












    I'm trying to understand security implications of using browser extensions storage. A few things are not clear to me when I read the WebExtensions storage documentation.



    Documentation says among others that:




    Values are scoped to the extension, not to a specific domain (i.e. the same set of key/value pairs are available to all scripts in the background context and content scripts).




    also:




    Each extension has its own storage area, which can be split into different types of storage.




    also:




    The storage area is not encrypted and shouldn't be used for storing confidential user information.




    Considering the above I still have a few questions here:



    1. Is it possible for extension E to access data stored by extension A?

    2. Is it possible for an arbitrary webpage to access data stored by extension A?

    3. Is it possible for a webpage on which extension A is run to access data stored by this extension?

    I read a few bits about localStorage (in)security but I'm not sure if and how those rules apply to



    Thanks in advance for your help!










    share|improve this question























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I'm trying to understand security implications of using browser extensions storage. A few things are not clear to me when I read the WebExtensions storage documentation.



      Documentation says among others that:




      Values are scoped to the extension, not to a specific domain (i.e. the same set of key/value pairs are available to all scripts in the background context and content scripts).




      also:




      Each extension has its own storage area, which can be split into different types of storage.




      also:




      The storage area is not encrypted and shouldn't be used for storing confidential user information.




      Considering the above I still have a few questions here:



      1. Is it possible for extension E to access data stored by extension A?

      2. Is it possible for an arbitrary webpage to access data stored by extension A?

      3. Is it possible for a webpage on which extension A is run to access data stored by this extension?

      I read a few bits about localStorage (in)security but I'm not sure if and how those rules apply to



      Thanks in advance for your help!










      share|improve this question













      I'm trying to understand security implications of using browser extensions storage. A few things are not clear to me when I read the WebExtensions storage documentation.



      Documentation says among others that:




      Values are scoped to the extension, not to a specific domain (i.e. the same set of key/value pairs are available to all scripts in the background context and content scripts).




      also:




      Each extension has its own storage area, which can be split into different types of storage.




      also:




      The storage area is not encrypted and shouldn't be used for storing confidential user information.




      Considering the above I still have a few questions here:



      1. Is it possible for extension E to access data stored by extension A?

      2. Is it possible for an arbitrary webpage to access data stored by extension A?

      3. Is it possible for a webpage on which extension A is run to access data stored by this extension?

      I read a few bits about localStorage (in)security but I'm not sure if and how those rules apply to



      Thanks in advance for your help!







      firefox-webextensions browser-extension webextension-storage






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 11 at 1:27









      maciejchmielarz

      687




      687






















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          1
          down vote



          accepted










          Note: storage.local (e,g. browser.storage.local.get('item') or chrome.storage.local.get('item')) is a WebExtension API and limited to the extension. It should not be confused with Window.localStorage (e.g. localStorage.getItem('item')) which is a Web API and not secure and accessible.



          In case of storage.local:




          Is it possible for extension E to access data stored by extension A?




          No. Each extension has its own storage.local area and not accessible by other extensions.




          Is it possible for an arbitrary webpage to access data stored by
          extension A?




          No. As above access is limited to the extension only.




          Is it possible for a webpage on which extension A is run to access
          data stored by this extension?




          No. As above.






          share|improve this answer




















          • Thanks erosman for the answer and the clarifying note :) FTR I'm aware of the difference you mention and my problem was exactly that localStorage (Web API) security is extensively covered here and there but I had a really hard time to find similar details about storage (WebExtension API) security. Thanks for clarifying this for me.
            – maciejchmielarz
            Nov 11 at 20:21










          Your Answer






          StackExchange.ifUsing("editor", function ()
          StackExchange.using("externalEditor", function ()
          StackExchange.using("snippets", function ()
          StackExchange.snippets.init();
          );
          );
          , "code-snippets");

          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "1"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53245061%2fare-there-any-restrictions-on-access-to-browser-extensions-storage%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          1
          down vote



          accepted










          Note: storage.local (e,g. browser.storage.local.get('item') or chrome.storage.local.get('item')) is a WebExtension API and limited to the extension. It should not be confused with Window.localStorage (e.g. localStorage.getItem('item')) which is a Web API and not secure and accessible.



          In case of storage.local:




          Is it possible for extension E to access data stored by extension A?




          No. Each extension has its own storage.local area and not accessible by other extensions.




          Is it possible for an arbitrary webpage to access data stored by
          extension A?




          No. As above access is limited to the extension only.




          Is it possible for a webpage on which extension A is run to access
          data stored by this extension?




          No. As above.






          share|improve this answer




















          • Thanks erosman for the answer and the clarifying note :) FTR I'm aware of the difference you mention and my problem was exactly that localStorage (Web API) security is extensively covered here and there but I had a really hard time to find similar details about storage (WebExtension API) security. Thanks for clarifying this for me.
            – maciejchmielarz
            Nov 11 at 20:21














          up vote
          1
          down vote



          accepted










          Note: storage.local (e,g. browser.storage.local.get('item') or chrome.storage.local.get('item')) is a WebExtension API and limited to the extension. It should not be confused with Window.localStorage (e.g. localStorage.getItem('item')) which is a Web API and not secure and accessible.



          In case of storage.local:




          Is it possible for extension E to access data stored by extension A?




          No. Each extension has its own storage.local area and not accessible by other extensions.




          Is it possible for an arbitrary webpage to access data stored by
          extension A?




          No. As above access is limited to the extension only.




          Is it possible for a webpage on which extension A is run to access
          data stored by this extension?




          No. As above.






          share|improve this answer




















          • Thanks erosman for the answer and the clarifying note :) FTR I'm aware of the difference you mention and my problem was exactly that localStorage (Web API) security is extensively covered here and there but I had a really hard time to find similar details about storage (WebExtension API) security. Thanks for clarifying this for me.
            – maciejchmielarz
            Nov 11 at 20:21












          up vote
          1
          down vote



          accepted







          up vote
          1
          down vote



          accepted






          Note: storage.local (e,g. browser.storage.local.get('item') or chrome.storage.local.get('item')) is a WebExtension API and limited to the extension. It should not be confused with Window.localStorage (e.g. localStorage.getItem('item')) which is a Web API and not secure and accessible.



          In case of storage.local:




          Is it possible for extension E to access data stored by extension A?




          No. Each extension has its own storage.local area and not accessible by other extensions.




          Is it possible for an arbitrary webpage to access data stored by
          extension A?




          No. As above access is limited to the extension only.




          Is it possible for a webpage on which extension A is run to access
          data stored by this extension?




          No. As above.






          share|improve this answer












          Note: storage.local (e,g. browser.storage.local.get('item') or chrome.storage.local.get('item')) is a WebExtension API and limited to the extension. It should not be confused with Window.localStorage (e.g. localStorage.getItem('item')) which is a Web API and not secure and accessible.



          In case of storage.local:




          Is it possible for extension E to access data stored by extension A?




          No. Each extension has its own storage.local area and not accessible by other extensions.




          Is it possible for an arbitrary webpage to access data stored by
          extension A?




          No. As above access is limited to the extension only.




          Is it possible for a webpage on which extension A is run to access
          data stored by this extension?




          No. As above.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 11 at 4:52









          erosman

          2,09931430




          2,09931430











          • Thanks erosman for the answer and the clarifying note :) FTR I'm aware of the difference you mention and my problem was exactly that localStorage (Web API) security is extensively covered here and there but I had a really hard time to find similar details about storage (WebExtension API) security. Thanks for clarifying this for me.
            – maciejchmielarz
            Nov 11 at 20:21
















          • Thanks erosman for the answer and the clarifying note :) FTR I'm aware of the difference you mention and my problem was exactly that localStorage (Web API) security is extensively covered here and there but I had a really hard time to find similar details about storage (WebExtension API) security. Thanks for clarifying this for me.
            – maciejchmielarz
            Nov 11 at 20:21















          Thanks erosman for the answer and the clarifying note :) FTR I'm aware of the difference you mention and my problem was exactly that localStorage (Web API) security is extensively covered here and there but I had a really hard time to find similar details about storage (WebExtension API) security. Thanks for clarifying this for me.
          – maciejchmielarz
          Nov 11 at 20:21




          Thanks erosman for the answer and the clarifying note :) FTR I'm aware of the difference you mention and my problem was exactly that localStorage (Web API) security is extensively covered here and there but I had a really hard time to find similar details about storage (WebExtension API) security. Thanks for clarifying this for me.
          – maciejchmielarz
          Nov 11 at 20:21

















           

          draft saved


          draft discarded















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53245061%2fare-there-any-restrictions-on-access-to-browser-extensions-storage%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Top Tejano songwriter Luis Silva dead of heart attack at 64

          天津地下鉄3号線

          How to fill missing numeric if any value in a subset is missing, all other columns with the same subset are missing