Skip to content

Update Browser_Extension_Vulnerabilities_Cheat_Sheet.md #1923

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
KadirArslan wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Update Browser_Extension_Vulnerabilities_Cheat_Sheet.md #1923

KadirArslan wants to merge 2 commits into from
+41 −0

Conversation

@KadirArslan
Copy link
Contributor

@KadirArslan KadirArslan commented Dec 8, 2025

I've added chrome.runtime.sendMessage/onMessage check as a additional section.
This was missing on the CS

🚩 If your PR is related to grammar/typo mistakes, please double-check the file for other mistakes in order to fix all the issues in the current cheat sheet.

Please make sure that for your contribution:

  • In case of a new Cheat Sheet, you have used the Cheat Sheet template.
  • All the markdown files do not raise any validation policy violation, see the policy.
  • All the markdown files follow these format rules.
  • All your assets are stored in the assets folder.
  • All the images used are in the PNG format.
  • Any references to websites have been formatted as [TEXT](URL)
  • You verified/tested the effectiveness of your contribution (e.g., the defensive code proposed is really an effective remediation? Please verify it works!).
  • The CI build of your PR pass, see the build status here.

If your PR is related to an issue, please finish your PR text with the following line:

This PR fixes issue #<REPLACE WITH ISSUE NUMBER>.

AI Tool Usage Disclosure (required for all PRs)

Please select one of the following options:

  • I have NOT used any AI tool to generate the contents of this PR.
  • I have used AI tools to generate the contents of this PR. I have verified
    the contents and I affirm the results. The LLM used is [llm name and version]
    and the prompt used is [your prompt here]. [Feel free to add more details if needed]

Thank you again for your contribution 😃

jmanico
jmanico previously approved these changes Dec 9, 2025
View reviewed changes
szh
szh reviewed Dec 10, 2025
View reviewed changes
Copy link
Collaborator

@szh szh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not familiar with this API but I did some quick searching and I found that Google has additional guidelines on this: https://developer.chrome.com/docs/extensions/develop/concepts/messaging#content-scripts-are-less-trustworthy
Perhaps we should include their recommendations and link to this document?

@KadirArslan
Copy link
Contributor Author

KadirArslan commented Dec 10, 2025

Thank you for the pointing this out. I've changed the mitigation section, changed to be more action item(ish) list that contains all of the info shared in chrome document.
Apart from that added secure example too.

@szh could you please review again?

szh
szh reviewed Dec 10, 2025
View reviewed changes
cheatsheets/Browser_Extension_Vulnerabilities_Cheat_Sheet.md
```javascript
chrome.runtime.onMessage.addListener((request, sender, sendResponse) => {
if (sender.id !== chrome.runtime.id) return;
if (!sender.url?.startsWith('chrome-extension://')) return;
Copy link
Collaborator

@szh szh Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Once we're checking if it comes from an extension, why not also check the extension ID, like if (!sender.url?.startsWith('chrome-extension://<my-extension-id>'))

Copy link
Contributor Author

@KadirArslan KadirArslan Dec 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sender.id already uniquely identifies the extension; checking the ID again in the URL would be redundant. URL validation can still be used optionally to restrict specific extension contexts.

cheatsheets/Browser_Extension_Vulnerabilities_Cheat_Sheet.md

```javascript
chrome.runtime.onMessage.addListener((request, sender, sendResponse) => {
if (sender.id !== chrome.runtime.id) return;
Copy link
Collaborator

@szh szh Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this id be the extension's id?

Copy link
Contributor Author

@KadirArslan KadirArslan Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. sender.id is the ID of the extension that sent the message.
Comparing it to chrome.runtime.id ensures the message originated from this same extension.

szh
szh approved these changes Dec 11, 2025
View reviewed changes
Copy link
Collaborator

@szh szh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the explanations. LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@szh szh szh approved these changes

@jmanico jmanico jmanico left review comments

+1 more reviewer

@andrzejsydor andrzejsydor andrzejsydor approved these changes

Reviewers whose approvals may not affect merge requirements

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@KadirArslan @jmanico @szh @andrzejsydor