1

Is there any way of storing data (for example, a CSRF token) that cannot be accessed by a Chrome extension under any circumstances?

Ideally I would like to store information that would remain secure even if a naïve user granted all permissions to an extension.

hoipolloi
  • 7,984
  • 2
  • 27
  • 28
  • In general, if you want to store data securely, don't store it in the browser. – Sumner Evans Jan 30 '15 at 00:13
  • What's the point? The user can get at it by using the Javascript console, and then copy it into the extension. – Barmar Jan 30 '15 at 00:15
  • Presumably, you want something accessible to a page's JavaScript? – Xan Jan 30 '15 at 00:17
  • @Xan - yes. I was wondering if there was somewhere that was accessible to the page but inaccessible to an extension. – hoipolloi Jan 30 '15 at 00:27
  • @Barmar - of course, the user has full control. I'm trying to prevent a rogue extension from accessing privileged data (like a CSRF token) without the user's knowledge. – hoipolloi Jan 30 '15 at 00:30

1 Answers1

1

I was wondering if there was somewhere that was accessible to the page but inaccessible to an extension.

Consider the so-called page-level scripts. A content script can inject a <script> tag into the page, and it will be executed in the same environment as the page.

It can then extract your hypothetical secure data and communicate with the rest of the extension.

What's worse, you can't reasonably prevent this injection, as it ignores your page's CSP.

Community
  • 1
  • 1
Xan
  • 74,770
  • 16
  • 179
  • 206