Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict APIs exposed from background page to content script #222

Open
glen3b opened this issue Oct 19, 2020 · 2 comments
Open

Restrict APIs exposed from background page to content script #222

glen3b opened this issue Oct 19, 2020 · 2 comments
Labels
Code Quality Issues relating directly to the quality of code, requiring refactoring, bad error handling, etc Discussion For discussions about features or deciding what should be done regarding a certain topic
Milestone
v7.X

Comments

@glen3b
Copy link
Collaborator

glen3b commented Oct 19, 2020

Chrome security recommendations essentially say that, as a background page, one should distrust content scripts. We currently expose a fairly broad "fetch via background" API to our content scripts, which explicitly goes against their recommendations. We should evaluate the security implementations here and trim down our API as needed.
@glen3b glen3b added Discussion For discussions about features or deciding what should be done regarding a certain topic Code Quality Issues relating directly to the quality of code, requiring refactoring, bad error handling, etc labels Oct 19, 2020
@Roguim
Copy link
Contributor

Roguim commented Oct 19, 2020

Where's this change needed? I'd assume the notification badge bit is one of them.

@glen3b
Copy link
Collaborator Author

glen3b commented Oct 23, 2020

fetchApiJson in preload.js is the one which comes to mind. Anywhere we use Schoology API calls this function.

@aopell aopell added this to the v7.X milestone Dec 11, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Code Quality Issues relating directly to the quality of code, requiring refactoring, bad error handling, etc Discussion For discussions about features or deciding what should be done regarding a certain topic
Projects
None yet
Milestone
v7.X
Development

No branches or pull requests
3 participants
@glen3b @aopell @Roguim