Opened 7 years ago

Closed 5 years ago

#5566 closed enhancement (fixed)

[CHROME] One magic flag to hardening CRX and prevent CSP abuse - {"manifest_version": 2}

Reported by: jaedo Owned by: pde
Priority: Medium Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Since Google Chrome 18 stable released, it's preferably to use "manifest_version": 2 in manifest.json because Content Security Policy by default is too weakly.

At least it possible to detect chrome extension by requesting crx resources via internal protocol.

That's the demo http://www.browserleaks.com/chrome it can detect that I have HTTPS Everywhere installed.

And more about CSP in point of chrome extensions found here http://code.google.com/chrome/extensions/trunk/contentSecurityPolicy.html

Child Tickets

Change History (7)

comment:1 Changed 7 years ago by jaedo

Component: - Select a componentEFF-HTTPS Everywhere
Owner: set to pde

Ofcourse its about HTTPS Everywhere, cant find how to edit ticket and set correct component. I very sorry.

comment:2 Changed 7 years ago by rransom

Component: EFF-HTTPS EverywhereHTTPS Everywhere: Chrome

comment:3 Changed 7 years ago by pde

We could accept a patch that implements manifest version 2 along with a good Content Security Policy!

Note that there are probably a lot of ways for a website to detect that the client has HTTPS Everywhere installed, and I doubt it will ever be possible to prevent that.

comment:4 Changed 7 years ago by rransom

Why would you care about preventing websites from detecting that HTTPS Everywhere is installed?

comment:6 Changed 6 years ago by pde

Component: HTTPS Everywhere: ChromeEFF-HTTPS Everywhere
Summary: One magic flag to hardening Chrome CRX and prevent CSP abuse - {"manifest_version": 2}[CHROME] One magic flag to hardening CRX and prevent CSP abuse - {"manifest_version": 2}

comment:7 Changed 5 years ago by zyan

Resolution: fixed
Status: newclosed

Closing this because Nick Semenkovich writes:
"""
You can close that ticket. Chrome now requires manifest version 2
(which we're using:
https://github.com/EFForg/https-everywhere/blob/master/chromium/manifest.json
)

Manifest V2 sets a default CSP of: script-src 'self'; object-src
'self' (https://developer.chrome.com/extensions/contentSecurityPolicy
)

Yay! Go us!

Since we're crazy-paranoid, I'll make a pull request for an even more
aggressive CSP (like default-src: none, that we then override).
"""

Note: See TracTickets for help on using tickets.