0

I'd like to build a chrome extension to inject some sensitive content onto the current page. The current page should not be able to access it, but the content should be rendered on the page so the user can see it.

If I put the sensitive content into the DOM, the current page would be able to interrogate the DOM and access the sensitive content.

The only way I can think of which might work is to inject an iFrame which would then be protected by Cross Site Scripting.

Are there any HTML elements, tools, libraries or other techniques that might allow me to achieve this?

user3882611
  • 3
  • 1
  • Even iframes might be insufficient. What is the purpose of displaying this information? If e.g. it is a bank account number to send money to, then an iframe is not a good choice, because web pages could spoof the iframe. – Rob W Jan 16 '15 at 11:33
  • @RobW I think the concern is to protect the information from the webpage. – Xan Jan 16 '15 at 12:03

1 Answers1

2

An iframe is probably currently the best solution.

Shadow DOM is a possible answer (in future*).

In theory, the outer document will only see the shadow root element, but inside you can put any DOM. In practice, however, shadow DOM is still exposed, just traversed differently.

To secure it from inspection, you could override some methods, e.g.

Object.defineProperty(host, 'shadowRoot', {
  get: function() { return null; },
  set: function(value) { }
});

But this is not secure, since, as Rob W mentions in a comment, this can be intercepted.

In the end, it's important to remember that while amazingly fantastic, Shadow DOM has not been designed to be a security feature. Don't rely on it for complete content isolation.

See this question: Can a Shadow DOM secure my elements? for a discussion of this use of Shadow DOM and other methods.

* future refers to efforts to add a "private" flag to encapsulate shadow DOM completely from the page.

Another solution (that's also not ready for deployment) is seamless iframes. While an interesting concept, it's currently not supported at all across the board after briefly being experimental in Chrome.

Community
  • 1
  • 1
Xan
  • 74,770
  • 16
  • 179
  • 206
  • 1
    Shadow DOM cannot be relied upon as a security feature. "Override some methods" needs to be done in the script context of the page. Now, how can you know for sure that `Object.defineProperty` has not been tampered with? Not. – Rob W Jan 16 '15 at 11:32
  • @RobW is it better now? – Xan Jan 16 '15 at 12:02
  • Thanks guys! I'd never heard of the shadow DOM, looks like it would be good in future. – user3882611 Jan 16 '15 at 12:55