📄️ Exploit addEventListener
Although the content script is isolated, there is an important connection between Isolated and Main Worlds - these are events. Let's imagine that the extension contains the following code in the content script:
📄️ Exploit Messages
This topic is closely related to the previous chapter, but it is more important. It is one of the most common mistakes I have encountered.
📄️ Open Closed Shadow DOM
Shadow DOM allows hidden DOM trees to be attached to elements in the regular DOM tree.
📄️ Clickjacking
This chapter is dedicated to Clickjacking in extension windows. I think it is unnecessary to explain what Clickjacking is; if you don't know, you can read about it in this article. Here, we will consider the specifics of Clickjacking for extensions.
📄️ Unsafe storage to UXSS
Sometimes developers forget that chrome.storage.local is the same for all sites where the content script is loaded.