0

I noticed that browser extensions have the permission to access localStorage from any webpage (Get localStorage from within extension without loading a page) as well as cookies (Access cookies from Google Chrome extension). If you give them permissions to access all data on any webpage, then their glorified window objects can do this. (can browser extensions do more than that?)

Let's assume you have a script like this:

<script>
   function SecretThing(){ 
      // give the client a secret safe from browser extensions: (?)
      var mySecret = Crypto.random()
      // some cryptography with mySecret
   } 
   var secretThing = new SecretThing();     
</script>

Basically, I am wondering if I could do math on mySecret without ever revealing mySecret to a chrome extension. inside of a "SecretThing" object. I would only write getters to get stuff (e.g. signed or encrypted messages) from the secret.

I am not sure a window object could even access mySecret (or can it?), which is why I think that maybe a browser extension (which i said was mainly a window object) might also not be able to. What do you think? I have never made a browser extension before.

nick carraway
  • 212
  • 2
  • 15
  • 1
    `secretThing` variable is *globally* scoped so it can be accessed by an extension (in Chrome it's done by injecting a script element with the extractor code, in Firefox it's done via wrappedJSObject) - in other words you need to hide all your stuff in closures and never expose any global variables. – wOxxOm Mar 02 '19 at 04:52
  • mySecret is inside secretThing? So mySecret is locally scoped? – nick carraway Mar 02 '19 at 06:58
  • `mySecret` is a local variable inside `SecretThing` function, not `secretThing` object, which doesn't have any accessible properties. You may want to read about closures in JS. – wOxxOm Mar 02 '19 at 07:06

0 Answers0