web_accessible_resources and UUID leaking #15
Comments
|
I don't think they are related, as web_accessible_resources are local resources only, so there is no external fetch. |
|
as long as these resources are never exposed to the DOM, all should be fine, however if there's any question about this, please read further... my understanding is that it's not whether local resources are fetchable, but whether the extension leaks its UUID which depends (partially) on whether web_accessible_resources is used this appears to be a serious issue because a unique identifier (UUID) is assigned to every extension, and that UUID changes for every user, meaning that if the UUID leaks, the browser is uniquely identifiable what i'm not clear on is to what degree this is being used in the wild and how easy it is to exploit - nevertheless, it seems that it isn't much of a problem for ext. devs to fix/work a round further reading... |
i was just doing some long overdue reading on how extensions (and in turn the browser) can be fingerprinted and i see that if an ext. uses "web_accessible_resources" (and JS is enabled), it's possible for a website to get the UUID of the ext.
in the Search Engines Helper manifest i'm seeing "web_accessible_resources" and i'd just like to get your take on whether it may be affected by this
Bug 1405971
The text was updated successfully, but these errors were encountered: