2

Related to this question but specifically for a content script.

This article talks about there being a false sense of security when using closed mode because "There's nothing stopping an attacker from hijacking Element.prototype.attachShadow."

However, this article talks about content scripts being run in isolated environments.

Is it therefore safe to assume that any shadow DOM attached via a content script is secure?

Community
  • 1
  • 1
Hipp04
  • 96
  • 5
  • 1
    No. What if another extension changes `Element.prototype.attachShadow`? – 0xcaff Nov 30 '16 at 01:28
  • 1
    @caffinatedmonkey Extensions are isolated from each other, too. – Josh Lee Nov 30 '16 at 01:46
  • Yes. But because multiple roots have been removed, this may break things occasionally if the site also tries to add a shadow root. – Daniel Herr Nov 30 '16 at 01:59
  • Secure against what? What's your threat model? Extensions can definitely pierce the shadow dom. The untrusted page probably not, but the API surface is huge, so it's difficult to say for sure (shadow dom + iframe does sound safer). – the8472 Feb 28 '20 at 23:41

0 Answers0