I'm trying to understand security implications of using browser extensions storage
. A few things are not clear to me when I read the WebExtensions storage documentation.
Documentation says among others that:
Values are scoped to the extension, not to a specific domain (i.e. the same set of key/value pairs are available to all scripts in the background context and content scripts).
also:
Each extension has its own storage area, which can be split into different types of storage.
also:
The storage area is not encrypted and shouldn't be used for storing confidential user information.
Considering the above I still have a few questions here:
I read a few bits about localStorage
(in)security but I'm not sure if and how those rules apply to
Thanks in advance for your help!
Note: storage.local
(e,g. browser.storage.local.get('item')
or chrome.storage.local.get('item'))
is a WebExtension API and limited to the extension. It should not be confused with Window.localStorage
(e.g. localStorage.getItem('item')
) which is a Web API and not secure and accessible.
storage.local
:Is it possible for extension E to access data stored by extension A?
No. Each extension has its own storage.local
area and not accessible by other extensions.
Is it possible for an arbitrary webpage to access data stored by extension A?
No. As above access is limited to the extension only.
Is it possible for a webpage on which extension A is run to access data stored by this extension?
No. As above.