How does Same Origin Policy apply to browser extensions?

by

The same-origin policy (SOP) appplies to ordinary web pages, not browser extensions, even if they are written in JavaScript. What does “different server” mean when the extension code does not origingate from a server? (The extension script might have some kind of orgin, like chrome-extension://longhashidentificationstr, but not an traditional domain/origin.) To communicate with any Web page (except those that have CORS headers), the extension cannot be bound by the SOP.

Extensions don’t exactly “violate” the SOP; instead, the SOP does not apply to them. The SOP is designed to limit damage that can be caused by a compromised or malicious Web page. Viewing a web page should require zero trust in the page, since it is so easy to visit a Web page. However, installing an extension is something users do less frequently and has larger impact on the user, so it’s not unreasonable to require some trust in the extension.

More Related Contents:

  1. Can a site invoke a browser extension?
  2. How do I write a Firefox Addon? [closed]
  3. Firefox and Chrome slow on localhost; known fix doesn’t work on Windows 7
  4. Inspecting WebSocket frames in an undetectable way
  5. Avoid panel to autoHide in Firefox extension
  6. Install WebExtensions on Firefox from the command line
  7. X-Frame-Options: ALLOW-FROM in firefox and chrome
  8. How can I get the current Crome URL?
  9. Chrome extension that enables chatting with users on same page [closed]
  10. How to import ES6 modules in content script for Chrome Extension
  11. new Date() is working in Chrome but not Firefox
  12. Webdriver Unable to connect to host 127.0.0.1 on port 7055 after 45000 ms
  13. Firefox Links to local or network pages do not work
  14. Unchecked runtime.lastError while running tabs.executeScript?
  15. How do I auto-reload a Chrome extension I’m developing?
  16. Upload File as a Form Data through chrome extension
  17. Chrome extension: Inject JS before page load
  18. How to properly handle chrome extension updates from content scripts
  19. chrome.storage.local.get and set [duplicate]
  20. What is this JavaScript syntax: {Ci, CC}? [duplicate]
  21. Ajax call bug with Chrome new version 73.0.3683.75?
  22. Why is document.execCommand(“paste”) not working in Google Chrome?
  23. How to disable “This Connection is Untrusted” Certificate in FireFox?
  24. How can I inspect disappearing element in a browser?
  25. favicon not displayed by Firefox
  26. tabs.executeScript – passing parameters and using libraries?
  27. Get selected text and selected nodes on a page?
  28. Run script each time Chrome extension icon clicked
  29. How to revert Firebug to old version?
  30. The resource at “http://some-urls/some-files.js” was blocked because tracking protection is enabled

Leave a Comment