- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Sat, 3 Dec 2016 12:58:26 +0100
- To: Rob Wu <rob@robwu.nl>
- Cc: "public-browserext@w3.org" <public-browserext@w3.org>
Thanx Rob, It is (quite) possible that my analysis is incorrect. It seems that it is always useful to ask or claim something and see what returns :-) Since "content.js" is trusted (static content owned by the extension) the forwarded message context should also be trustworthy, right? That the demo blindly forwards messages to the background script from any Web page is "by design" since in a (full blown/real) W2NB implementation, the native applications are supposed to contain meta-data controlling various security and privacy aspects. Thanx again for looking into this! I hope to try the Mozilla version soon. Regards, Anders On 2016-12-03 12:15, Rob Wu wrote: > Native messaging can be "securely tied to invoking Web pages", but your application neglects to do so. > 1) Your content script listens to messages in every page, and > 2) blindly forwards the message to the background script, which > 3) spawns a native messaging host and forwards the given message. > > In step 1, your script knows the location of the page where it is running (e.g. event.origin in the message event, or just location.href). > In step 2, your background script knows the location of the sender (e.g. sender.frameUrl) > In step 3, your native application knows that the message was sent from a whitelisted extension (via the native messaging host manifest; in case you've registered multiple origins, the actual origin can still be identified in Chrome via the native app's command-line arguments). > > * NOTE: If the web page is served over http, then the message's authenticity at step 1 cannot be guaranteed, since a MITM attacker can easily spoof messages. > > If you do not validate the origin of the message at any of these steps, then yes, any web page can launch a native messaging app. This is not a problem with native messaging, but with your demo extension. > > Kind regards, > Rob > https://robwu.nl > > 2016-12-03 8:26 GMT+01:00 Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>>: > > Since native applications are not securely tied to invoking Web pages, it appears that this concept is susceptible to phishing. > One may argue that Native Messaging isn't callable by Web pages but that's incorrect [1], and it is probably the #1 use-case as well. > > I believe the same problem is valid for the URL schemes used in Android as well. > > Anders > > 1] it just takes some ingenuity: https://github.com/cyberphone/web2native-bridge/tree/master/extension/release <https://github.com/cyberphone/web2native-bridge/tree/master/extension/release> > >
Received on Saturday, 3 December 2016 11:59:11 UTC