1

I am building a Chrome extension that will be making cross origin "get" and "post" requests to a few third party websites. I have been researching this process for hours and I am becoming increasingly concerned with security.

I need to get the "add to bag" URL info and post user information to that page to fill out the required fields. My Chrome extension has a background JavaScript page, a popup JavaScript page, a HTML page with user info, and a popup HTML page. The HTTP request will occur on the background JavaScript page and send a cross origin request to the website that user is currently visiting.

I am worried about the security when posting user data and the possibility of retrieving malicious info when I use the get request, to get data from the page, possibly an image, and the add to bag URL. I have read about escaping; but I am not really sure how this process works. Do I simply use encodeuricomponent()?

function httpGetAsync(theUrl, callback){
    var xmlHttp = new XMLHttpRequest();
    xmlHttp.onreadystatechange = function() { 
        if (xmlHttp.readyState == 4 && xmlHttp.status == 200)
            var resp = encodeURIComponent(xmlHttp.responseText)
            callback(resp);         
    }
    xmlHttp.open("GET", theUrl, true);
};

I found this website covering how to prevent XSS attacks: XSS (Cross Site Scripting) Prevention Cheat Sheet

Should I use JsonP coupled with an escaping function such as, this function nestled under the if statement?

function (xmlHttp) {
    // function to escape data? not sure how to do this
    var resp = encodeURIComponent(xmlHttp.responseText)
    callback(resp);
}

The developers Chrome website states that:

document.getElementById("resp").innerText = xhr.responseText;
or: resp = JSON.parse(xhr.responseText);

are safe practices and to simply avoid using .innerhtml.

Any advice or suggested reading material for further research will help me out immensely.

Improve this question
2
  • 1
    Quick not-quite-an-answer: DO NOT use JSONP. Just don't. Ever. You think you're worried about the security of CORS (Cross-Origin Resource Sharing, the thing that lets you use cross-origin XHR), but trust me, JSONP is much worse. JSONP is a hack to work around a browser security feature, and like most such hacks, it tends to permit more than you meant it to. It wouldn't actually protect you in this particular situation any more than CORS does anyhow; you still need to safely display the returned content in your page.
    – CBHacking
    Commented Oct 19, 2015 at 1:50
  • Ok sounds good. Thank you for your comment and telling me about JSONP. I will completely avoid using JSONP.
    – john dith
    Commented Oct 20, 2015 at 23:04

1 Answer 1

Reset to default
1

Don't use encodeuricomponent - this is for percent encoding values for insertion into URIs (as suggested by its name).

Data itself cannot be malicious. It can only be "malicious" in the context where it is used. If all you are doing is displaying it on the page, go with the recommendation of setting text rather than HTML, as any characters with special meaning will be properly encoded using this property.

Use textContent rather than innerText as the latter is specific to Internet Explorer, with a few other browsers tagging along rather than a web standard.

JSONP is less secure than CORS, as you have to trust that the external domain is not injecting malicious script into your site (whether the external domain is malicious or has been itself compromised).

Improve this answer
2
  • Ok that is great news. Personal information will be stored in the extension, so I do not want this data vulnerable to attacks. I will also be getting an image src and website url; would it be necessary to escape this data before displaying? and how would I go about doing that. Thank you for your help
    – john dith
    Commented Oct 20, 2015 at 23:13
  • JSONP also is potentially vulnerable to several sorts of reflection attacks. I've seen examples where you can straight-up put a HTML document in the callback parameter and build your own reflected XSS page, though usually something slightly trickier - like Flash applet reflection - is needed instead. Those are more threats for the domain hosting the JSONP endpoint, but you shouldn't be using JSONP on the modern web anyhow. CORS makes it completely obsolete.
    – CBHacking
    Commented Oct 21, 2015 at 2:19

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .