Are there any restrictions on access to browser extensions storage?
up vote
0
down vote
favorite
I'm trying to understand security implications of using browser extensions storage. A few things are not clear to me when I read the WebExtensions storage documentation.
Documentation says among others that:
Values are scoped to the extension, not to a specific domain (i.e. the same set of key/value pairs are available to all scripts in the background context and content scripts).
also:
Each extension has its own storage area, which can be split into different types of storage.
also:
The storage area is not encrypted and shouldn't be used for storing confidential user information.
Considering the above I still have a few questions here:
- Is it possible for extension E to access data stored by extension A?
- Is it possible for an arbitrary webpage to access data stored by extension A?
- Is it possible for a webpage on which extension A is run to access data stored by this extension?
I read a few bits about localStorage (in)security but I'm not sure if and how those rules apply to
Thanks in advance for your help!
firefox-webextensions browser-extension webextension-storage
asked Nov 11 at 1:27
maciejchmielarz
687
add a comment |
up vote
0
down vote
favorite
I'm trying to understand security implications of using browser extensions storage. A few things are not clear to me when I read the WebExtensions storage documentation.
Documentation says among others that:
Values are scoped to the extension, not to a specific domain (i.e. the same set of key/value pairs are available to all scripts in the background context and content scripts).
also:
Each extension has its own storage area, which can be split into different types of storage.
also:
The storage area is not encrypted and shouldn't be used for storing confidential user information.
Considering the above I still have a few questions here:
- Is it possible for extension E to access data stored by extension A?
- Is it possible for an arbitrary webpage to access data stored by extension A?
- Is it possible for a webpage on which extension A is run to access data stored by this extension?
I read a few bits about localStorage (in)security but I'm not sure if and how those rules apply to
Thanks in advance for your help!
firefox-webextensions browser-extension webextension-storage
asked Nov 11 at 1:27
maciejchmielarz
687
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I'm trying to understand security implications of using browser extensions storage. A few things are not clear to me when I read the WebExtensions storage documentation.
Documentation says among others that:
Values are scoped to the extension, not to a specific domain (i.e. the same set of key/value pairs are available to all scripts in the background context and content scripts).
also:
Each extension has its own storage area, which can be split into different types of storage.
also:
The storage area is not encrypted and shouldn't be used for storing confidential user information.
Considering the above I still have a few questions here:
- Is it possible for extension E to access data stored by extension A?
- Is it possible for an arbitrary webpage to access data stored by extension A?
- Is it possible for a webpage on which extension A is run to access data stored by this extension?
I read a few bits about localStorage (in)security but I'm not sure if and how those rules apply to
Thanks in advance for your help!
firefox-webextensions browser-extension webextension-storage
asked Nov 11 at 1:27
maciejchmielarz
687
I'm trying to understand security implications of using browser extensions storage. A few things are not clear to me when I read the WebExtensions storage documentation.
Documentation says among others that:
Values are scoped to the extension, not to a specific domain (i.e. the same set of key/value pairs are available to all scripts in the background context and content scripts).
also:
Each extension has its own storage area, which can be split into different types of storage.
also:
The storage area is not encrypted and shouldn't be used for storing confidential user information.
Considering the above I still have a few questions here:
- Is it possible for extension E to access data stored by extension A?
- Is it possible for an arbitrary webpage to access data stored by extension A?
- Is it possible for a webpage on which extension A is run to access data stored by this extension?
I read a few bits about localStorage (in)security but I'm not sure if and how those rules apply to
Thanks in advance for your help!
firefox-webextensions browser-extension webextension-storage
firefox-webextensions browser-extension webextension-storage
asked Nov 11 at 1:27
maciejchmielarz
687
asked Nov 11 at 1:27
maciejchmielarz
687
asked Nov 11 at 1:27
maciejchmielarz
687
asked Nov 11 at 1:27
maciejchmielarz
687
asked Nov 11 at 1:27
maciejchmielarz
687
687
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
1
down vote
accepted
Note: storage.local (e,g. browser.storage.local.get('item') or chrome.storage.local.get('item')) is a WebExtension API and limited to the extension. It should not be confused with Window.localStorage (e.g. localStorage.getItem('item')) which is a Web API and not secure and accessible.
In case of storage.local:
Is it possible for extension E to access data stored by extension A?
No. Each extension has its own storage.local area and not accessible by other extensions.
Is it possible for an arbitrary webpage to access data stored by
extension A?
No. As above access is limited to the extension only.
Is it possible for a webpage on which extension A is run to access
data stored by this extension?
No. As above.
answered Nov 11 at 4:52
erosman
2,11931430
Thanks erosman for the answer and the clarifying note :) FTR I'm aware of the difference you mention and my problem was exactly thatlocalStorage(Web API) security is extensively covered here and there but I had a really hard time to find similar details aboutstorage(WebExtension API) security. Thanks for clarifying this for me.
– maciejchmielarz
Nov 11 at 20:21
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53245061%2fare-there-any-restrictions-on-access-to-browser-extensions-storage%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
accepted
Note: storage.local (e,g. browser.storage.local.get('item') or chrome.storage.local.get('item')) is a WebExtension API and limited to the extension. It should not be confused with Window.localStorage (e.g. localStorage.getItem('item')) which is a Web API and not secure and accessible.
In case of storage.local:
Is it possible for extension E to access data stored by extension A?
No. Each extension has its own storage.local area and not accessible by other extensions.
Is it possible for an arbitrary webpage to access data stored by
extension A?
No. As above access is limited to the extension only.
Is it possible for a webpage on which extension A is run to access
data stored by this extension?
No. As above.
answered Nov 11 at 4:52
erosman
2,11931430
Thanks erosman for the answer and the clarifying note :) FTR I'm aware of the difference you mention and my problem was exactly thatlocalStorage(Web API) security is extensively covered here and there but I had a really hard time to find similar details aboutstorage(WebExtension API) security. Thanks for clarifying this for me.
– maciejchmielarz
Nov 11 at 20:21
add a comment |
up vote
1
down vote
accepted
Note: storage.local (e,g. browser.storage.local.get('item') or chrome.storage.local.get('item')) is a WebExtension API and limited to the extension. It should not be confused with Window.localStorage (e.g. localStorage.getItem('item')) which is a Web API and not secure and accessible.
In case of storage.local:
Is it possible for extension E to access data stored by extension A?
No. Each extension has its own storage.local area and not accessible by other extensions.
Is it possible for an arbitrary webpage to access data stored by
extension A?
No. As above access is limited to the extension only.
Is it possible for a webpage on which extension A is run to access
data stored by this extension?
No. As above.
answered Nov 11 at 4:52
erosman
2,11931430
Thanks erosman for the answer and the clarifying note :) FTR I'm aware of the difference you mention and my problem was exactly thatlocalStorage(Web API) security is extensively covered here and there but I had a really hard time to find similar details aboutstorage(WebExtension API) security. Thanks for clarifying this for me.
– maciejchmielarz
Nov 11 at 20:21
add a comment |
up vote
1
down vote
accepted
up vote
1
down vote
accepted
Note: storage.local (e,g. browser.storage.local.get('item') or chrome.storage.local.get('item')) is a WebExtension API and limited to the extension. It should not be confused with Window.localStorage (e.g. localStorage.getItem('item')) which is a Web API and not secure and accessible.
In case of storage.local:
Is it possible for extension E to access data stored by extension A?
No. Each extension has its own storage.local area and not accessible by other extensions.
Is it possible for an arbitrary webpage to access data stored by
extension A?
No. As above access is limited to the extension only.
Is it possible for a webpage on which extension A is run to access
data stored by this extension?
No. As above.
answered Nov 11 at 4:52
erosman
2,11931430
Note: storage.local (e,g. browser.storage.local.get('item') or chrome.storage.local.get('item')) is a WebExtension API and limited to the extension. It should not be confused with Window.localStorage (e.g. localStorage.getItem('item')) which is a Web API and not secure and accessible.
In case of storage.local:
Is it possible for extension E to access data stored by extension A?
No. Each extension has its own storage.local area and not accessible by other extensions.
Is it possible for an arbitrary webpage to access data stored by
extension A?
No. As above access is limited to the extension only.
Is it possible for a webpage on which extension A is run to access
data stored by this extension?
No. As above.
answered Nov 11 at 4:52
erosman
2,11931430
answered Nov 11 at 4:52
erosman
2,11931430
answered Nov 11 at 4:52
erosman
2,11931430
answered Nov 11 at 4:52
erosman
2,11931430
2,11931430
Thanks erosman for the answer and the clarifying note :) FTR I'm aware of the difference you mention and my problem was exactly thatlocalStorage(Web API) security is extensively covered here and there but I had a really hard time to find similar details aboutstorage(WebExtension API) security. Thanks for clarifying this for me.
– maciejchmielarz
Nov 11 at 20:21
add a comment |
Thanks erosman for the answer and the clarifying note :) FTR I'm aware of the difference you mention and my problem was exactly thatlocalStorage(Web API) security is extensively covered here and there but I had a really hard time to find similar details aboutstorage(WebExtension API) security. Thanks for clarifying this for me.
– maciejchmielarz
Nov 11 at 20:21
Thanks erosman for the answer and the clarifying note :) FTR I'm aware of the difference you mention and my problem was exactly that
localStorage (Web API) security is extensively covered here and there but I had a really hard time to find similar details about storage (WebExtension API) security. Thanks for clarifying this for me.– maciejchmielarz
Nov 11 at 20:21
Thanks erosman for the answer and the clarifying note :) FTR I'm aware of the difference you mention and my problem was exactly that
localStorage (Web API) security is extensively covered here and there but I had a really hard time to find similar details about storage (WebExtension API) security. Thanks for clarifying this for me.– maciejchmielarz
Nov 11 at 20:21
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53245061%2fare-there-any-restrictions-on-access-to-browser-extensions-storage%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
