areazoqa.blogg.se

7 September 2023 - 20:51
Duckduckgo extensions
Allmänt
Duckduckgo extensions













duckduckgo extensions

I understand that ndMessage() is all one needs to keep things secure. While these changes will surely help, may I suggest doing something about the things that extensions continuously get wrong? If there are no convenient secure APIs, extension developers will continue using insecure alternatives.įor example, extension developers keep resorting to window.postMessage() for internal communication. I’ve heard that Google is implementing Manivest V3 in order to make their extension platform more secure. You can escape forward slashes after calling JSON.stringify() to avoid this issue. The only concern (irrelevant in this case): if you insert JSON-encoded data into a tag, you’ll need to watch out for in the data. This call will properly encode any data, so that it is safe to insert into JavaScript code. Update (): Linked to respective Chromium issues.

duckduckgo extensions

So most extension developers are bound to get it wrong on the first try. The extension platform introduced by Google Chrome simply doesn’t provide secure and convenient alternatives. This isn’t merely extension developers being clueless. These vulnerabilities are very typical, I’ve seen similar mistakes in other extensions many times. Update (): An extension version with the fix is now available for both Firefox and Edge. Two releases have been skipped for Mozilla Firefox and Microsoft Edge for some reason, so that the latest version available here only fixes the first issue (insecure internal communication). At the time of writing, this version is only available for Google Chrome however. The second vulnerability gave a DuckDuckGo server way more privileges than intended: a Cross-site Scripting (XSS) vulnerability in the extension allowed this server to execute arbitrary JavaScript code on any domain.īoth issues are resolved in DuckDuckGo Privacy Essentials 2021.2.3 and above. First of all, the extension used insecure communication channels for some internal communication, which, quite ironically, caused some data leakage across domain boundaries. I found some of the typical issues (mostly resolved since) but also two actual security vulnerabilities. A few months ago I looked into the inner workings of DuckDuckGo Privacy Essentials, a popular browser extension meant to protect the privacy of its users.















Duckduckgo extensions
0 kommentar(er)
Om Mig: