Restrict APIs exposed from background page to content script

Question

Restrict APIs exposed from background page to content script

Opened this issue 4 years ago · 2 comments

Chrome security recommendations essentially say that, as a background page, one should distrust content scripts. We currently expose a fairly broad "fetch via background" API to our content scripts, which explicitly goes against their recommendations. We should evaluate the security implementations here and trim down our API as needed.

Answer 1 · 2020-10-19T23:52:16.000Z

Where's this change needed? I'd assume the notification badge bit is one of them.

Answer 2 · 2020-10-23T21:03:11.000Z

fetchApiJson in preload.js is the one which comes to mind. Anywhere we use Schoology API calls this function.