Suppose an extension has a scary list of permissions like that below ("Site access: On all sites"):
Does this also give the extension permission to send my data to the author’s servers via XHR?
I’ve read the documentation here but lack some background knowledge, so I am not sure in my interpretation:
After reading this, it seemed like the extension isn’t allowed to send my data somewhere unless it has lines like the below in the manifest – is this correct?
"permissions": [ "https://www.google.com/" ]
Services like Dashlane and Bitwarden are unable to decrypt your passwords without your Master Password.
So, how does Chrome do it when they also state that your passwords are encrypted using your Google username and password?
Had few chrome vulnerabilities [CVE-2020-6420] detected by BI(Retina). Upgraded the affected machines to chrome version 84.0.4147.89. After re-scan still the same vulnerabilities are detected.
Anyone experienced it before ? please help to resolve
As a frontend engineer, I often struggle to wait for the BE engineers to develop their APIs before I can get started building UI components.
So far, we would build the naive web components, and wait for the BE APIs before integration. However, this prevented me from developing end to end integrated experiences.
The Chrome WebRequests API mentions that specific request headers are not available to the
onBeforeSendHeaders event, meaning that extensions cannot read and/or modify these headers. Here is an excerpt from the documentation:
The following headers are currently not provided to the
onBeforeSendHeaders event. This list is not guaranteed to be complete nor stable.
Is there a security reason to disable extensions from reading or writing these? How could an extension act malicious if it could read/write these values?
Clarification: I am aware why read access to some of these is a bad idea, most prominently any header featuring authentication data. However, other headers such as
Content-Length are a complete enigma to me.
Furthermore, it’s unclear to me why some of these headers are completely inaccessible to extensions, instead of allowing setting a value or appending a value, even if read access is not granted.
If I understand correctly, Widevine, FairPlay and PlayReady are all security through obscurity. Given the popularity of services using them, can’t someone just RE them and find exactly how their work? If so, was it done? If not, why? If this (can be) done, why people continue using these services?
Related: How does Widevine, FairPlay, and other DRM's work under the hood?
My wife inadvertently clicked on a flash player update and suddenly my chrome browser is being managed by org. something about enterprise policy yadda yadda. I tried deleting chrome and reinstalling but to no avail. How do i get rid of this devil spawn browser hijacker for good?
I’ve been dealing with this Chrome malware for awhile now, and I can’t identify where it’s coming from. Very occasionally, when I click on a top link in Google, it’ll redirect me to a site that looks like this (always the same green circle with the text “Loading”), and then to adware. The redirect is located at a new domain every time, but it’s always the same green circle. Can anyone help? I only have uBlock Origin installed and I installed it via the Chrome Store. I’m on OS X Mojave. Malwarebytes turns up nothing (PUPs enabled).
I want from extension to click the button but button click event is not working as if i use JS DOM Methods:
getElementsByClassName('button').click(); // Not working //or document.querySelector('button').click(); // Not working
The problem is that button is created either on “React.js“, so i think that causes not to happen the button click event.
Please suggest me any solution for this problem.
I’m running Google Chrome Version 83.0.4103.61 (64-bit) on Windows 10, and I’ve suddenly noticed that never mind what website I visit, when I right click “View frame source” is an option.
This strikes me as odd, as that option is usually only available when you’re wanting to view the source code of an iFrame. Whether I click “View frame source” or “View page source” the source code and URL are the same.
But why does Chrome suddenly think that any website I load is being displayed in a frame? Is this cause for concern or am I just being paranoid?