Defend attacks from malicious `.user.js` sources

JingMatrix / ChromeXt

UserScript and DevTools supports for Chromium based and WebView based browsers

https://jingmatrix.github.io/ChromeXt/

GNU General Public License v3.0

700 stars 39 forks source link

Defend attacks from malicious `.user.js` sources #100

Closed JingMatrix closed 1 year ago

JingMatrix commented 1 year ago

Attackers can create a page whose URL ends with .user.js to exploit ChromeXt if the user is guided to open it without vigilance.

JingMatrix commented 1 year ago

Currently, there is no good way to detect if a page with url ending with user.js is truly a UserScript to install.

This causes a security concern that such pages might install malicious UserScripts without notifying the user. To avoid this possiblity / vulnerability, please report any suspicious domains that attempt to exploit it. ChromeXt will put them into an internal blacklist to reduce possible attacks.