why would the browser ever expose extensions api to a web page. does firefox doe...

ceejayoz · 2026-04-02T13:40:41 1775137241

The "The Attack: How it works" section explains how it works. It's not an API.

I am a little surprised something like CORS doesn't apply to it, though.

acorn221 · 2026-04-02T13:48:51 1775137731

So these extensions allow linkedin to do this though, it's literally them saying "yes, this site can ping this resource" - called "web_accessible_resources".

This is fair from Linkedin IMO as I've seen loads of different extensions actually scraping the linkedin session tokens or content on linkedin.

entropyneur · 2026-04-02T16:56:00 1775148960

It's not the extension developer who should decide this, but the browser user.

Hackbraten · 2026-04-03T06:33:46 1775198026

On what would the browser user base their decision?

If an extension injects an icon into the DOM of the page, then the resulting `img` tag needs to put something in its `src`.

The extension author may choose to use the `data:` scheme, but that's a development-time decision.

Panda4 · 2026-04-02T13:43:43 1775137423

> Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions.

It's not clear though, either they only tested against chrome-based browsers or Firefox isn't enabling them to do so.

edit: I answered before I go fully through the article but it does say it's only Chrome based.

> The extension scan runs only in Chrome-based browsers. The isUserAgentChrome() function checks for “Chrome” in the user agent string. The isBrowser() function excludes server-side rendering environments. If either check fails, the scan does not execute.

> This means every user visiting LinkedIn with Chrome, Edge, Brave, Opera, Arc, or any other Chromium-based browser is subject to the scan.

OoooooooO · 2026-04-02T13:51:17 1775137877

Firefox uses UUID for the local extension url per extension so you can't search for hardcoded local urls.

dylan604 · 2026-04-02T13:50:56 1775137856

What is a Chrome-based browser? Isn't Chrome Google's Chromium based browser? How many are based on Chrome?

Panda4 · 2026-04-02T14:13:50 1775139230

> This means every user visiting LinkedIn with Chrome, Edge, Brave, Opera, Arc, or any other Chromium-based browser is subject to the scan.

dylan604 · 2026-04-02T15:29:00 1775143740

Exactly, so again, what is a Chrome-based browser?

Sohcahtoa82 · 2026-04-02T16:51:22 1775148682

A lot of people mistakenly refer to Chromium-based browsers as being Chrome-based.

I feel like this is obvious and you know that this is the exact mistake being made, but rather than drop an actual correction, you take the insufferable approach of pretending you don't know what's happening and forming the correction as a question.

JumpCrisscross · 2026-04-02T17:28:38 1775150918

> A lot of people mistakenly refer to Chromium-based browsers as being Chrome-based

This seems to be a case where the poison seeps through the cracks. From Google and Chrome to other Chromium-based browsers. In very correct ways, in this case, they are Chrome based.

andersonpico · 2026-04-02T14:07:13 1775138833

From "The Attack: How it works", its just checking the user agent string:

function a() { return "undefined" != typeof window && window && "node" !== window.appEnvironment; }

function s() { return window?.navigator?.userAgent?.indexOf("Chrome") > -1; }

if (!a() || !s()) return;

thom · 2026-04-02T13:45:16 1775137516

I was under the impression Firefox randomises extension IDs on install, so hopefully not?

Raed667 · 2026-04-02T13:54:10 1775138050

they seem to be calling `chrome-extension://.....` so i don't think it applies to firefox

hedora · 2026-04-02T14:45:02 1775141102

The answer to "why would Chrome ever undermine privacy and security?" is always "Google's revenue stream".

I'm happy to see that this doesn't hit firefox. I wonder if safari is impacted.