0

Consider this scenario:

A content script wants to upload a file. I would prefer this operation to be done from my service/background script, but passing a File to that side via messages seems to be somewhat impossible without weird workarounds.

This is a good reference for the workarounds available: Passing FormData/File Object from content script to background script in chrome extension with Manifest V3

Workaround 1 seems bad, since it will require to break up the request which is not compatible with the backend API. Workaround 2 seems insecure, since the host web page will definitely be able to send rogue messages to an embedded iframe as it will share context.

I'm considering having the content script perform the upload directly like this:

  1. The content script loads the authentication secret from extension storage (chrome.storage.sync or chrome.storage.local depending on login persistence mode).
  2. It calls fetch directly to upload the form data.

Is that safe?

One hazard I had in mind was that a host page could hook window.fetch to intercept the credentials. That doesn't seem possible after my testing (the content script has a separate fetch defined in its own isolated environment). Is there anything else to watch out for?

mukunda
  • 2,908
  • 15
  • 21
  • Are you planning to use chrome.storage.local or chrome.storage.session to store the authentication secret? – Thomas Mueller Jan 26 '23 at 18:58
  • typically chrome.storage.sync – mukunda Jan 26 '23 at 19:02
  • 1
    "Is that safe?" - [chrome.storage > Storage areas](https://developer.chrome.com/docs/extensions/reference/storage/#storage-areas) warns that "Local and sync storage areas should not store confidential user data because they are not encrypted." - I don't know who would be able to steal this data, and how, but it's worth considering. – Thomas Mueller Jan 26 '23 at 19:06
  • That's a bit unrelated to the question, but regarding that, I figure it is just as safe as storing credentials in a cookie. In my case, I'm not using that kind of storage for passwords or such, and "credentials" just means an authentication token for the service. – mukunda Jan 26 '23 at 19:09
  • I realize that doing this from the content script is impossible due to CORS protection. This seems to be a recent enforcement for content scripts, so alas, it is not possible with the described approach. – mukunda Jan 26 '23 at 20:37
  • @ThomasMueller Anyone with access to the machine, for starters. – TylerH Jan 27 '23 at 19:52

0 Answers0