1

I currently have a web app that implements its own authentication via a "login" REST endpoint which returns a JWT and I would like to reuse this for my Chrome extension's authentication.

The accepted answer in this question suggests that only OAuth 2.0 should be used when authenticating within a Chrome extension otherwise attackers could steal the username & password.

I'm unsure how using an HTTPS POST request within a chrome extension and storing the resulting JWT in the extension's localStorage would be any more vulnerable than a website that does the same thing.

Am I correct in assuming that it is in fact safe to do (HTTPS POST & store JWT in localStorage) and, if so, are there any best practices or common pitfalls to avoid?

All Chrome extension authentication references I've found only talk about OAuth 2.

Thanks

Community
  • 1
  • 1
Glenn Allen
  • 51
  • 3
  • URL and headers of XHR/fetch from your extension can be intercepted by another extension. Not sure about chrome.identity API, but I wouldn't be surprised if it's not interceptable by design (obviously, you'll have to verify this guess). – wOxxOm Jun 21 '17 at 15:19
  • Thanks for the response @wOxxOm, but if you have installed an extension that can maliciously read XHR requests of chrome extensions, couldn't it also maliciously read XHR requests of normal websites? – Glenn Allen Jun 21 '17 at 21:34

0 Answers0