I'm trying to understand security implications of using browser extensions storage. A few things are not clear to me when I read the WebExtensions storage documentation.
Documentation says among others that:
Values are scoped to the extension, not to a specific domain (i.e. the same set of key/value pairs are available to all scripts in the background context and content scripts).
also:
Each extension has its own storage area, which can be split into different types of storage.
also:
The storage area is not encrypted and shouldn't be used for storing confidential user information.
Considering the above I still have a few questions here:
- Is it possible for extension E to access data stored by extension A?
- Is it possible for an arbitrary webpage to access data stored by extension A?
- Is it possible for a webpage on which extension A is run to access data stored by this extension?
I read a few bits about localStorage (in)security but I'm not sure if and how those rules apply to
Thanks in advance for your help!
Note:
storage.local(e,g.browser.storage.local.get('item')orchrome.storage.local.get('item'))is a WebExtension API and limited to the extension. It should not be confused withWindow.localStorage(e.g.localStorage.getItem('item')) which is a Web API and not secure and accessible.In case of
storage.local:No. Each extension has its own
storage.localarea and not accessible by other extensions.No. As above access is limited to the extension only.
No. As above.