There is a crucial element missing in the article below: how were the extensions able to execute remote code in their own context? By default, this not possible. (cc. @dangoodin001)https://arstechnica.com/information-technology/2019/07/dataspii-technical-deep-dive/ …
-
Prikaži ovu nit
-
So something is not being said in this article and the report makes no mention of this either: For an extension to be able to execute remote code in their own context, they need to explicitly declare `unsafe-eval` in their manifest.json.pic.twitter.com/7DCo8yADTg
1 reply 0 proslijeđenih tweetova 7 korisnika označava da im se sviđaPrikaži ovu nit -
R. Hill je proslijedio/a tweet korisnika/ceR. Hill
While the blocking ability of the webRequest API is used as a scapegoat, the bigger issue is extensions giving themselves ability to execute code not part of their package.https://twitter.com/gorhill/status/1139306139072507906 …
R. Hill je dodan/na,
R. Hill @gorhillThe abuse I've seen repeatedly is not of webRequest API: unethical blockers ripping the code base of legitimate blockers, but with an added permission which allows execution of remote code in extension context. https://twitter.com/gorhill/status/1134578114946850816 …Prikaži ovu nit1 reply 0 proslijeđenih tweetova 8 korisnika označava da im se sviđaPrikaži ovu nit -
Not only extensions with remote code execution ability are free to exists in the Chrome Web Store, users are not specifically warned about such ability when they install such extension.
0 proslijeđenih tweetova 5 korisnika označava da im se sviđaPrikaži ovu nit -
Meanwhile, ignoring the more important issue of remote code execution in extension context opens the door to dubious advice. Don't be fooled: it's possible to have more trust in an extension than the browser on which it runs, or the websites which you visit.pic.twitter.com/EbpnZjLvu0
1 reply 0 proslijeđenih tweetova 7 korisnika označava da im se sviđaPrikaži ovu nit
Nowadays it's best to presume the world wide web is highly hostile to users, and installing a *trusted* content blocker is the best mitigation.pic.twitter.com/iK78ODisqJ
-
-
Never install an extension declaring `unsafe-eval`/`unsafe-inline` in its manifest.json file.
5 proslijeđenih tweetova 18 korisnika označava da im se sviđaPrikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.