Security of native messaging?

前端 未结 2 1173
名媛妹妹
名媛妹妹 2021-01-15 22:09

I have a NPAPI plugin for sign-in data on website.

I want to replace it by Native Messaging technology. I have read the documentation, but I have a question : Is this

相关标签:
2条回答
  • 2021-01-15 22:40

    You realize, of course, that Native Messaging will ONLY work within the bounds of the machine: With native messaging the browser will communicate with your host application over stdin/stdout.

    So what exactly is the problem here? If the Hackers are capable of listening to your stdin/stdout they are already on your machine - you've already lost.

    0 讨论(0)
  • 2021-01-15 22:43

    It is, in principle, possible to inspect stdio calls made by an executable.

    For instance, on Linux systems, you can use strace for that purpose. I don't know a similar Windows tool, but it's conceivable that it exists.

    That would be akin to attaching a debugger to the browser/native host itself, and can only be done by someone who has access to the local machine with the same user credentials or administrative access. In particular, the user running Chrome can do it - just like he/she can use Dev Tools to inspect and intercept the data at the JavaScript side.

    So, yes, in principle that can be intercepted, but only by someone will full rights to execute/debug code on the system it's running on, and OS takes care not to allow normal users to inspect processes of other users in this way.

    0 讨论(0)
提交回复
热议问题