Reputation: 101
Access of third-party extensions to my cookies
There are used cookies on my website. Recently I noticed some cases of scamming when a third-party extension steals user’s session cookies and sends it to scammers. Is it possible to prohibit access of browser extensions to cookies of my website? With the help of any meta tag maybe?
Upvotes: 0
Views: 820
Answers (1)
Reputation: 6501
TLDR: HTTPS is a must. Extensions have absurd level of access to the cookies, including httponly. Looking over here, a manifest.json can point to an extension script that ultimately gets access to your cookie, but if you are using CSP header to whitelist domains, then I presume the extension cannot do anything with it, unless they work at a lower layer (scripts are injected (:facepalm:) so CSP isn't applicable to them, alas from what I read, it looks like that....)
I would consider first controlling the third party apps that I want to allow communication. For that, consider:
Content-Security-Policyheader. https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
To make use of above, you 'need' to switch your protocol to https.
Next, it is still possible that scripts you trust can exhibit malicious behavior, then for those cookies that are strictly private, set those cookies from the server side with httponly option:
Set-Cookie: id=a3fWa; Expires=Wed, 21 Oct 2015 07:28:00 GMT; Secure; HttpOnly
This way js cannot access them. Read through the cookies @MDN
Needless to say, do not allow other people to get access to your window:
- If you use
oWindow = window.open(.....), make sureoWindowdoes not have access back to you:oWindow.opener = null; - If you have links etc, always use
rel='noopener noreferrer'attribute on them. - Prevent other windows from opening your page in an iframe:
X-Frame-Options: SAMEORIGIN
Lastly, I do not recommend this (I didn't try either) as it does not provide real security, however if you are sure the third party implementations do not need XMLHttpRequest, you can monkey patch it, delete it from the global:
XMLHttpRequest = (function(xhtp){
//do whatever you need here while you have access
return null;
}(XMLHttpRequest))
or alternatively remove the withCredentials getter/setter from the prototype as this never affects same origin anyway (supposed not to):
delete XMLHttpRequest.prototype.withCredentials
Upvotes: 0
Related Questions
- Chrome extension: how can I intercept a cookie?
- Access cookies from Google Chrome extension
- Chrome extension: "No permission for cookies at url"
- chrome extensions - can't get non secure cookies
- No permission to get cookies
- Access to cookies from chrome extensions
- Accessing Cookies in Chrome Extension
- javascript Chrome Extension Not able to read httponly cookies
- Accessing cookies via Chrome extension
- Manage cookies from Google Chrome Extension