- From: Rob Wu <rob@robwu.nl>
- Date: Sat, 3 Dec 2016 12:15:57 +0100
- To: Anders Rundgren <anders.rundgren.net@gmail.com>
- Cc: "public-browserext@w3.org" <public-browserext@w3.org>
- Message-ID: <CAA+18=zCx2xvcWBfPNAp3sOLecceD54zciBS8gC31=OGrax-zA@mail.gmail.com>
Native messaging can be "securely tied to invoking Web pages", but your application neglects to do so. 1) Your content script listens to messages in every page, and 2) blindly forwards the message to the background script, which 3) spawns a native messaging host and forwards the given message. In step 1, your script knows the location of the page where it is running (e.g. event.origin in the message event, or just location.href). In step 2, your background script knows the location of the sender (e.g. sender.frameUrl) In step 3, your native application knows that the message was sent from a whitelisted extension (via the native messaging host manifest; in case you've registered multiple origins, the actual origin can still be identified in Chrome via the native app's command-line arguments). * NOTE: If the web page is served over http, then the message's authenticity at step 1 cannot be guaranteed, since a MITM attacker can easily spoof messages. If you do not validate the origin of the message at any of these steps, then yes, any web page can launch a native messaging app. This is not a problem with native messaging, but with your demo extension. Kind regards, Rob https://robwu.nl 2016-12-03 8:26 GMT+01:00 Anders Rundgren <anders.rundgren.net@gmail.com>: > Since native applications are not securely tied to invoking Web pages, it > appears that this concept is susceptible to phishing. > One may argue that Native Messaging isn't callable by Web pages but that's > incorrect [1], and it is probably the #1 use-case as well. > > I believe the same problem is valid for the URL schemes used in Android as > well. > > Anders > > 1] it just takes some ingenuity: https://github.com/cyberphone/ > web2native-bridge/tree/master/extension/release > >
Received on Saturday, 3 December 2016 11:17:19 UTC