0

I was under the impression that accessing elements from a site is Cross-Domain Access and unless the origin was allowed then you couldn't access those elements from the 'target'.

How is this different for example than loading SalesForce.com in an Iframe and trying to access the Login Page (Which you can't due to obvious reasons) vs how LastPass can access those elements to fill in my password and username? Or even Chrome form filler?

Does a browser extension actually have more control or power to do this? If so, what's the underlying geeky details?

Thanks!!

EKet
  • 7,272
  • 15
  • 52
  • 72

1 Answers1

1

Yes, when someone writes an extension they create a manifest defining the required permissions. So when installing the extension, you explicitly have to agree with these permissions, especially ones like 'Access your data on all websites'.

Extensions are by default bound to the regular sandboxing rules of websites, unless they request more via the manifest, like LastPass does, and Chrome itself does implicitly.

Niels Keurentjes
  • 41,402
  • 9
  • 98
  • 136
  • Interesting. But doesn't the 'approval' have to come from the server being requested? Doesn't that mean any extension can just take the data off my website? Or is that the point of the manifest? – EKet Aug 20 '13 at 22:01
  • I don't see your point. An extension is by default limited to a very small sandbox in the browser. By requesting permissions through the manifest it can get more permissions to access data *already loaded by the browser*. There is never any server involved, an extension can by its very nature only access client-side data that was already transmitted. – Niels Keurentjes Aug 21 '13 at 00:01
  • It seems obvious now, thanks. Since I have downloaded the content I'm manipulating what I already have access to, vs having a server to server communication it is just my client accessing the page I've downloaded and I'm making changes in to my 'view'. Makes sense! – EKet Aug 21 '13 at 16:46