![]() A malicious web page could attempt to run code of its own by exploiting the use of window.eval(). You should be very careful when running code in the context of a page. Use window.eval() in content scripts with caution The danger here is that a malicious web page could, for example, modify the functions of JavaScript objects to run code of its own.įor more information, see Accessing page script objects from content scripts. Share objects with in-page JavaScript with careįirefox provides wrappedJSObject so a content script can access JavaScript objects created by page scripts. If your modified CSP allows remote script injection your extension will get rejected from AMO during review.įor more information, see Default content security policy. While the manifest.json key content_security_policy enables you to modify the content security policy for your extension, this isn’t recommended as the policy helps prevent extensions from inadvertently executing malicious content. The standard policy restricts the sources from which your extension can load and resources, and disallows potentially unsafe practices such as the use of eval(). Use the standard extension content security policy (CSP) You can find more information in the blog post Using Google Analytics in Extensions. Rather, it’s recommended that the Google Analytics REST API is used in an XHR call, such as: let request = new XMLHttpRequest ( ) If you want to add Google Analytics to your extension don't insert the Google Analytics JavaScript code. use templating engine commands that escape any HTML before inserting it.įor more information, see Safely inserting external content into a page.AMO will allow the latest 2.x version at the time of submission previous versions will not be accepted due to their security vulnerabilities. Please ensure you are using the latest version. Removing your extension from distributionĭOMPurify versions 2.0.6 and older contain a cross-site-scripting security vulnerability.Will I ever be able to sell through AMO?.Use plain language in any privacy policy or license agreement. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |