Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

components that execute scripts / filters on webpages should have integrity protection #42274

Open
diracdeltas opened this issue Nov 13, 2024 · 3 comments · Fixed by brave/brave-core-crx-packager#1008 · May be fixed by brave/brave-core#26660
Open

components that execute scripts / filters on webpages should have integrity protection #42274

diracdeltas opened this issue Nov 13, 2024 · 3 comments · Fixed by brave/brave-core-crx-packager#1008 · May be fixed by brave/brave-core#26660
Assignees
@boocmp
Labels
OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. sec-high security

Comments

@diracdeltas
Copy link
Member

diracdeltas commented Nov 13, 2024
edited
Loading

  1. Brave's components should have integrity protection similar to extensions from the Chrome Web Store: https://github.com/brave/reviews/issues/1783#issuecomment-2469787880. If developers need to bypass this while testing out component changes, they can launch Brave with a special command line flag similar to the --load-extension flag in Chrome.

  2. The custom filters/scriptlets feature should be gated behind a secure pref, similar to the "developer mode" extensions toggle: https://github.com/brave/reviews/issues/1783#issuecomment-2458050497.
@diracdeltas diracdeltas added OS/Android Fixes related to Android browser functionality OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. sec-high security labels Nov 13, 2024
@diracdeltas
Copy link
Member Author

diracdeltas commented Nov 13, 2024
edited
Loading

cc @stoletheminerals but i'm guessing this is not a concern on Android because Claude tells me that Android apps cannot write to each other's storage directories.

@stoletheminerals
Copy link

Android apps cannot write to each other's storage directories.

correct, this is enforced by Linux user-based isolation

@diracdeltas diracdeltas removed the OS/Android Fixes related to Android browser functionality label Nov 14, 2024
This was referenced Nov 20, 2024
Open
Merged
@diracdeltas
Copy link
Member Author

opening as only the server part was done

@diracdeltas diracdeltas reopened this Nov 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@boocmp boocmp

Labels
OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. sec-high security
Projects
None yet
Milestone
No milestone
3 participants
@diracdeltas @stoletheminerals @boocmp