There is a crucial element missing in the article below: how were the extensions able to execute remote code in their own context? By default, this not possible. (cc. @dangoodin001)https://arstechnica.com/information-technology/2019/07/dataspii-technical-deep-dive/ …
-
-
While the blocking ability of the webRequest API is used as a scapegoat, the bigger issue is extensions giving themselves ability to execute code not part of their package.https://twitter.com/gorhill/status/1139306139072507906 …
Prikaži ovu nit -
Not only extensions with remote code execution ability are free to exists in the Chrome Web Store, users are not specifically warned about such ability when they install such extension.
Prikaži ovu nit -
Meanwhile, ignoring the more important issue of remote code execution in extension context opens the door to dubious advice. Don't be fooled: it's possible to have more trust in an extension than the browser on which it runs, or the websites which you visit.pic.twitter.com/EbpnZjLvu0
Prikaži ovu nit -
Nowadays it's best to presume the world wide web is highly hostile to users, and installing a *trusted* content blocker is the best mitigation.pic.twitter.com/iK78ODisqJ
Prikaži ovu nit -
Never install an extension declaring `unsafe-eval`/`unsafe-inline` in its manifest.json file.
Prikaži ovu nit
Kraj razgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.