Why does Chrome not allow the modification of these headers by extensions?

The Chrome WebRequests API mentions that specific request headers are not available to the onBeforeSendHeaders event, meaning that extensions cannot read and/or modify these headers. Here is an excerpt from the documentation:

The following headers are currently not provided to the onBeforeSendHeaders event. This list is not guaranteed to be complete nor stable.

  • Authorization
  • Cache-Control
  • Connection
  • Content-Length
  • Host
  • If-Modified-Since
  • If-None-Match
  • If-Range
  • Partial-Data
  • Pragma
  • Proxy-Authorization
  • Proxy-Connection
  • Transfer-Encoding

Is there a security reason to disable extensions from reading or writing these? How could an extension act malicious if it could read/write these values?

Clarification: I am aware why read access to some of these is a bad idea, most prominently any header featuring authentication data. However, other headers such as Host, Connection or Content-Length are a complete enigma to me.

Furthermore, it’s unclear to me why some of these headers are completely inaccessible to extensions, instead of allowing setting a value or appending a value, even if read access is not granted.

Can’t one reverse engineering Chrome source code to reveal Widevine and friends keys?

If I understand correctly, Widevine, FairPlay and PlayReady are all security through obscurity. Given the popularity of services using them, can’t someone just RE them and find exactly how their work? If so, was it done? If not, why? If this (can be) done, why people continue using these services?

Related: How does Widevine, FairPlay, and other DRM's work under the hood?

Chrome Malware, Redirects To Ad When I Click Link in Google?

I’ve been dealing with this Chrome malware for awhile now, and I can’t identify where it’s coming from. Very occasionally, when I click on a top link in Google, it’ll redirect me to a site that looks like this (always the same green circle with the text “Loading”), and then to adware. The redirect is located at a new domain every time, but it’s always the same green circle. Can anyone help? I only have uBlock Origin installed and I installed it via the Chrome Store. I’m on OS X Mojave. Malwarebytes turns up nothing (PUPs enabled).

Chrome Extension: document.querySelector(‘button’).click() is not working on button created on React

I want from extension to click the button but button click event is not working as if i use JS DOM Methods:

getElementsByClassName('button')[0].click(); // Not working //or document.querySelector('button').click(); // Not working   

The problem is that button is created either on “React.js“, so i think that causes not to happen the button click event.

Please suggest me any solution for this problem.


“View frame source” is suddenly an option on every website loaded with Chrome

I’m running Google Chrome Version 83.0.4103.61 (64-bit) on Windows 10, and I’ve suddenly noticed that never mind what website I visit, when I right click “View frame source” is an option.

This strikes me as odd, as that option is usually only available when you’re wanting to view the source code of an iFrame. Whether I click “View frame source” or “View page source” the source code and URL are the same.

But why does Chrome suddenly think that any website I load is being displayed in a frame? Is this cause for concern or am I just being paranoid?

Chrome extension differences: Urban Shield VS Urban Free VPN proxy Unblocker

What’s the difference between these two Chrome extensions, which provide VPN functionality for browsing via Chrome:

Urban Shield: https://chrome.google.com/webstore/detail/urban-shield/almalgbpmcfpdaopimbdchdliminoign?hl=en

Urban Free VPN proxy Unblocker: https://chrome.google.com/webstore/detail/urban-free-vpn-proxy-unbl/eppiocemhmnlbhjplcgkofciiegomcon

They are both developed by the same company, but I couldn’t find any explanation regarding the differences between the two.

Firefox and Chrome load resources with max-age differently?

I’m trying to troubleshoot something on the client and I believe it has something to do with the the browser caching requests.

I’m loading the same page on Firefox and Chrome (Canary). When I look in the network tab, I see different behavior.

There server response has a max-age set for cache control. I see that Chrome always loads from (disk cache) if max-age has not been reached. But for Firefox, I’ll see it load the resource not from cache once in a while before max-age has been reached. Also I’m seeing 304 ‘not modified’ in Firefox, but not in Chrome.

Can someone help explain what I’m seeing?

Here are some screenshots of the Network tabs… Firefox network tab Chrome network tab

Did changes in Google Chrome 80 weaken cookie and password encryption?

According to Arun on StackOverflow “Starting Chrome 80 version, cookies are encrypted using the AES256-GCM algorithm, and the AES encryption key is encrypted with the DPAPI encryption system, and the encrypted key is stored inside the ‘Local State’ file.”. (https://stackoverflow.com/questions/60230456/dpapi-fails-with-cryptographicexception-when-trying-to-decrypt-chrome-cookies/60611673#60611673).

Now at first glance this looks like an improvement rather than passing cookies to Windows Data Protection API (DPAPI) directly they’re encrypted with a better algorithm and only the key is protected through the API. Stronger encryption is used and Windows Data Protection API encrypts the key. Unfortunately the protection scope is changed from LocalUser to LocalMachine.

It appears that this means if a user were to copy the hard drive by plugging it into another computer they would no longer need your Windows account password to decrypt this key in the local state file with the Windows Data Protection API. In theory this would allow another user on the system to steal passwords and cookies weakening security protections that existed further.

I put together a code demo with Brave Browser demonstrating this risk (see: https://github.com/irlcatgirl/BraveCookieReaderDemo). It’s easy enough to swap paths of SQLite and Local State files for Chrome.

According to https://docs.microsoft.com/en-us/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata#parameters

Typically, only a user with logon credentials that match those of the user who encrypted the data can decrypt the data. In addition, decryption usually can only be done on the computer where the data was encrypted. However, a user with a roaming profile can decrypt the data from another computer on the network. If the CRYPTPROTECT_LOCAL_MACHINE flag is set when the data is encrypted, any user on the computer where the encryption was done can decrypt the data. The function creates a session key to perform the encryption. The session key is derived again when the data is to be decrypted.

Due to a change in scope in Windows DPAPI did this change harm Chrome’s security or am I misinterpreting my findings?