Extension security in Safari.
I apologize if this topic has already been covered but I could not find mention of it after using multiple search terms or within the knowledge base. All of the entries that came close to addressing my question were from 2011.
Is it safe to use the 1Password extension with other extensions in Safari? Also do extensions in Safari communicate between each other? If they do it would seem to me that there is a security vulnerability in using the 1Password extension along with other extensions. I know that extensions communicate with each other in Google Chrome according to it's FAQ.
I am using Safari 6.1.6 and 1Password 3.8.22 on Mac OS X 10.7.5.
Thanks for any input and have a great day.
Comments
-
Hi, Liminal. Thanks for your post. It's great that you're thinking of these kinds of things!
Safari extensions on OS X are isolated from one another and different parts of each extension are isolated from each other as well. There are scripts that can interact with the content of the page ("end scripts" in Safari's terms) and these are isolated from the scripts that are running on the page so the page can't call or override the extension's script content and also isolated from the scripts running in other extensions. Part of this is to protect from conflicts and also to protect the security of the extension from other scripts executing in other contexts.
Then there are the global scripts for each extension. These are also isolated and have very limited communication with the end scripts via message passing. Depending on the browser, the global scope can do different kinds of things, but generally this is where things like the extensions' data storage and preferences are stored. Again, these are isolated. They can't interact with other extensions' global scripts and they don't have direct communication and interaction with the page content.
Overall, this architecture ensures that the code in any given extension behaves the same across pages and with other extensions installed. It also ensures that any concerns about security are isolated to a given extension's sandbox and prevented from causing havoc in other extensions.
I hope that helps explain things a bit. Please let us know if you have any other questions or concerns. We're always here to help.
0 -
Hi @Liminal,
Great questions!
Is it safe to use the 1Password extension with other extensions in Safari?
We have heard of some edge cases where a particular extension could cause a conflict with the 1Password extension, but there should be no safety concerns here. (I can't recall any specific extensions off the top of my head.)
Also do extensions in Safari communicate between each other? If they do it would seem to me that there is a security vulnerability in using the 1Password extension along with other extensions.
The 1Password extension has to be able to communicate with the main 1Password app, but it does not communicate with any other extensions. You're right, that would introduce potential security concerns.
I hope this answers your questions, but we're here for you if you would like to know anything further! :)
0 -
Thank you both for replying to my post / question. After I saw what I would consider a potential if not likely security vulnerability in Google Chrome I was really concerned about running multiple extensions at the same time. It had never been a problem in the past as I only ran one extension. I'm trying to increase my security though and in order to do that I need to start running a couple more extensions. Again thank you both for the replies.
0