Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Greaselion should provide an API for validating that message is from Greaselion

See original GitHub issue

This issue came up during a security review for https://github.com/brave/brave-core/pull/5440.

Greaselion content scripts are currently downloaded on-the-fly and given a dynamically-generated extension ID when installed locally. The problem with this approach is that other extensions could send messages to Brave and the browser would have no way to authenticate that they were sent by Greaselion extensions.

One idea I can think of is to enhance the Greaselion.json file to support an id key, allowing content script creators to specify a static extension ID for Greaselion to use. The Greaselion service could then insert this id into the manifest when generating the given extension.

Issue Analytics

State:
Created 3 years ago
Comments:8 (6 by maintainers)

Top GitHub Comments

2reactions

bridivercommented, Aug 27, 2020

So it seems like we may be able to get any APIs we want to run in content scripts instead of only background scripts by adding the content_script context to the relevant _api_features.json file, e.g. https://source.chromium.org/chromium/chromium/src/+/master:extensions/common/api/_api_features.json;l=517?q=_api_features.json.

However, I have to think there’s a reason chrome doesn’t do this, instead confining all browser APIs to the background process and only allowing message passing from the page content script thread. Given that, I have performance and security concerns around allowing our APIs from the content script (I assume it’s on the page process?), and would love it if someone more expert (@diracdeltas, @bridiver ?) could weigh in on that.

@petemill that would be an extremely bad idea and even if you added it to api_features, I’m pretty sure it still wouldn’t work correctly. The APIs that content scripts can access are intentionally limited for security reasons

1reaction

diracdeltascommented, Aug 26, 2020

That sounds fine as long as all greaselion scripts are maintained by us.

Top Results From Across the Web

What does "greaselion" do and how does it work?

Incidentally, I had the same problem as the user at the second link but I'm braver and just zapped them all right away...

Brave Browser 1.45.131 Dual x86x64 [Silent] - Installer Repacks ...

Complete with a built-in ad blocker that prevents tracking and provides security ... due to Greaselion precondition not being met with multiple profiles....

brave-core: org.chromium.chrome.browser.crypto_wallet.util.Utils ...

This method should be used to make substring of a string clickable Example: This is <ph ... SendToAccountAddress.validate(), and ... String, message,.

Greaselion information : r/brave_browser - Reddit

Where can I find docs on Greaselion? I would very much like to make my own user scripts for BB on Android.

Untitled

Kbrn savunma taburu konya, Simon willis blog, Fxsts 1991, Ways to have your hair down, ... Christopher mcdonald grease, Lion heads around melbourne,...