Loading Profile...
Twitter,
Facebook, or email.
http://code.google.com/p/chromium/iss...
"Chrome shares a list of all browser extensions I have installed with every web site I visit even when I am browsing in incognito mode."
http://code.google.com/chrome/extensi...
"You can use the web_accessible_resources feature. In newer Chromes, it will do the right thing. Older Chromes will ignore it."
http://news.ycombinator.com/item?id=3...
"Chrome extension are probably a major source of untapped security holes. "
I’m
unconcerned
-
Hi Jed,
Thanks for reporting this!
We should be clear of all XSS vectors in Ghostery for Chrome as of 3.0.0. You are encouraged to check for yourself, of course.
I'll make sure to upgrade the manifest to version two (and bump minimum required Chrome to 18) in the next update.Comment -
-
http://code.google.com/p/chromium/iss...
As I tried to copy and paste above, you can do "the best you can" with previous versions of Chrome while waiting for 18 to get to stable... just set the web_accessible_resources feature.
"manifest_version=2 simply switches the default. Instead of web_accessible_resources defaulting to off, it defaults to on."
"you should not update your extension to manifest_version=2 until Chrome 18 is deployed to the stable channel."
etc.
If you truly want to exclude pre-v18 already just because of the enumeration issue that is up to you but seems rather drastic. -
-
18 is headed to stable soon, right? I don't want to exclude older Chromes, but it seems like upgrading to v2 now is fewer changes to keep track of (no need to upgrade later). Might make sense if 18 is released before Ghostery 3.1.0.
Anyway, noted. We'll resolve it either way. Depends on release timing. -
-
-
Ghostery 4.1.0 for Chrome, released today, uses manifest version 2, which should fix this issue.
-
CHAMP
