I have an ASP.NET website with client Javascript, which makes ajax call back to the server. Is there any way i can call my chrome extension from my AJAX end points or chrome extension code and can not detect it with my own javascript code? So far I have tested using the referrer, httponly cookies, but there is no difference between 2 calls. Any thoughts would be appreciated.
no , is not there. The Chrome extension has Elevate permissions that can 'out-permit' the JavaScript code of your website and manipulate it and make calls. Even if you add something like Anti CSRF token, an extension can still read it and bypass security. They can run javascript codes on your site and can modify their own code on the site on the flight without informing themselves or their users. The only thing you can do is trust the customer With any important problem, all requests you as hostile Clients are required to receive and authenticate before requesting on your server. (I assume that you have a Chrome extension running on your site)
No comments:
Post a Comment