W3C home > Mailing lists > Public > public-web-security@w3.org > October 2015

Security Review - Chrome Native Messaging

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Thu, 15 Oct 2015 07:37:23 +0200
To: "public-web-security@w3.org" <public-web-security@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <561F3B93.8080208@gmail.com>
Since Microsoft and Mozilla reportedly are implementing Chrome Extensions including Native Messaging it might be interesting with an an external review of the security in this system.

The following published extension of mine (and a bunch of similar extensions), exploring Chrome Native Messaging

      https://chrome.google.com/webstore/search/web2native

could together with a maliciously written native program (there is no vetting of what an Native Message extension actually do), enable any web-page on any domain executing any native-level program without asking the user for a permission.

In spite of this I consider Native Messaging a brilliant concept that is well worth a more thought-through approach (including security model), and eventually receiving standards status.

The only viable alternative is removing Native Messaging altogether or hiding it behind an experimental option.

Anders Rundgren
Received on Thursday, 15 October 2015 05:38:00 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 15 October 2015 05:38:01 UTC