20 lines
1007 B
Plaintext
20 lines
1007 B
Plaintext
An important update happened to the extension we were observing, it expanded and
|
|
began using a larger JSON-based API for disabling web APIs. Our project team
|
|
decided to focus on extending the behavior of this extension.
|
|
|
|
Our group has decided to extend the web Audio API and look into what APIs need
|
|
to be blocked and compile a data file containing our findings. I've also noticed
|
|
that the extension has not deviated from their code-generating eval style, so
|
|
I'm currently looking at workarounds from using eval (creating a script tag and
|
|
inserting it into the DOM).
|
|
|
|
Additionally, when it comes to running on sites that have a very strict Content
|
|
Security Policy, they manually inject the sha-256 of the script into the header
|
|
before the script is injected into the page. However, doing a quick search on
|
|
this approach reveals that it's not completely reliable[1], and conflicting
|
|
extensions may cause the script to not be pardoned.
|
|
|
|
[1]: https://transitory.technology/browser-extensions-and-csp-headers
|
|
|
|
|