Can Chrome Extensions Send Data to Remote Servers?

Suppose an extension has a scary list of permissions like that below ("Site access: On all sites"):

enter image description here

Does this also give the extension permission to send my data to the author’s servers via XHR?

I’ve read the documentation here but lack some background knowledge, so I am not sure in my interpretation:

Cross-Origin XMLHttpRequest

After reading this, it seemed like the extension isn’t allowed to send my data somewhere unless it has lines like the below in the manifest – is this correct?

"permissions": [     "https://www.google.com/"   ] 

Chrome Vulnerabilities are detected in vulnerability scan even after upgraded with latest versions

Had few chrome vulnerabilities [CVE-2020-6420] detected by BI(Retina). Upgraded the affected machines to chrome version 84.0.4147.89. After re-scan still the same vulnerabilities are detected.

Anyone experienced it before ? please help to resolve

Why does Chrome not allow the modification of these headers by extensions?

The Chrome WebRequests API mentions that specific request headers are not available to the onBeforeSendHeaders event, meaning that extensions cannot read and/or modify these headers. Here is an excerpt from the documentation:

The following headers are currently not provided to the onBeforeSendHeaders event. This list is not guaranteed to be complete nor stable.

  • Authorization
  • Cache-Control
  • Connection
  • Content-Length
  • Host
  • If-Modified-Since
  • If-None-Match
  • If-Range
  • Partial-Data
  • Pragma
  • Proxy-Authorization
  • Proxy-Connection
  • Transfer-Encoding

Is there a security reason to disable extensions from reading or writing these? How could an extension act malicious if it could read/write these values?


Clarification: I am aware why read access to some of these is a bad idea, most prominently any header featuring authentication data. However, other headers such as Host, Connection or Content-Length are a complete enigma to me.

Furthermore, it’s unclear to me why some of these headers are completely inaccessible to extensions, instead of allowing setting a value or appending a value, even if read access is not granted.

Can’t one reverse engineering Chrome source code to reveal Widevine and friends keys?

If I understand correctly, Widevine, FairPlay and PlayReady are all security through obscurity. Given the popularity of services using them, can’t someone just RE them and find exactly how their work? If so, was it done? If not, why? If this (can be) done, why people continue using these services?

Related: How does Widevine, FairPlay, and other DRM's work under the hood?

Chrome Malware, Redirects To Ad When I Click Link in Google?

I’ve been dealing with this Chrome malware for awhile now, and I can’t identify where it’s coming from. Very occasionally, when I click on a top link in Google, it’ll redirect me to a site that looks like this (always the same green circle with the text “Loading”), and then to adware. The redirect is located at a new domain every time, but it’s always the same green circle. Can anyone help? I only have uBlock Origin installed and I installed it via the Chrome Store. I’m on OS X Mojave. Malwarebytes turns up nothing (PUPs enabled).

Chrome Extension: document.querySelector(‘button’).click() is not working on button created on React

I want from extension to click the button but button click event is not working as if i use JS DOM Methods:

getElementsByClassName('button')[0].click(); // Not working //or document.querySelector('button').click(); // Not working   

The problem is that button is created either on “React.js“, so i think that causes not to happen the button click event.

Please suggest me any solution for this problem.

Thanks.

“View frame source” is suddenly an option on every website loaded with Chrome

I’m running Google Chrome Version 83.0.4103.61 (64-bit) on Windows 10, and I’ve suddenly noticed that never mind what website I visit, when I right click “View frame source” is an option.

This strikes me as odd, as that option is usually only available when you’re wanting to view the source code of an iFrame. Whether I click “View frame source” or “View page source” the source code and URL are the same.

But why does Chrome suddenly think that any website I load is being displayed in a frame? Is this cause for concern or am I just being paranoid?