Re: Extension security?

From: Milan Bouchet-Valat <nalimilan club fr>
To: Gabriel <rossetti gabriel gmail com>
Cc: gnome-shell-list <gnome-shell-list gnome org>
Subject: Re: Extension security?
Date: Mon, 05 Dec 2011 23:23:29 +0100

Le lundi 05 décembre 2011 à 23:14 +0100, Gabriel a écrit :
> Hi all,
> 
> I may be missing something, but the really nifty extensions site 
> prompted me to ask this, are there not potential security issues with 
> extensions being able to be installed by clicking on a webpage? Ans 
> since extensions are able to modify the way the UI behaves, could 
> someone not make one that steals users' info, make screenshots, steal 
> passwords (like emulating the login screen for example), etc?
(Note this applies to any random third-party package users might install
by clicking on a link and providing their password.)

> I'm sure you thought of all this so I be interested in knowing how you 
> protect us (sandboxing, limiting the things API can do, not allowing 
> access to the HD except thought given functions, etc).
This has been discussed on this list previously. See
http://lwn.net/Articles/459786/ for a summary and links.

Basically, the Shell ensures the extension comes from
extensions.gnome.org, which requires a review of the code by other
hackers; and it will never install/update extensions without user action
(modal dialog). But once installed, extensions are not sandboxed and can
do whatever they want to the Shell, or to your files (just like any app
on the system).


Cheers

Follow-Ups:
- Re: Extension security?
  - From: Jasper St. Pierre

References:
- Extension security?
  - From: Gabriel

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]