Friday, January 18, 2013

Google subdomain access in content scripts

The reason is that this opens you up to being injected where you don't expect, which can lead to security problems.  In your above code, it would run on for example.  Even if you changed your code to explicitly test for known registry-controlled domains (.com,, .jp, etc.), you'd still have a problem in that most companies (including Google) don't actually own companyname.* for every RCD that's out there.  Further, in the cases where the company doesn't own that domain, the domain is often being used for phishing/malware, etc.  So the only way to do this is to know ahead of time the explicit list of RCDs that are controlled by the company, which can be a pain to figure out unfortunately.

it is the reason you can not do *://*.google.*/ in match pattern

No comments: