Question
I was under the impression that accessing elements from a site is Cross-Domain Access and unless the origin was allowed then you couldn't access those elements from the 'target'.
How is this different for example than loading SalesForce.com in an Iframe and trying to access the Login Page (Which you can't due to obvious reasons) vs how LastPass can access those elements to fill in my password and username? Or even Chrome form filler?
Does a browser extension actually have more control or power to do this? If so, what's the underlying geeky details?
Thanks!!
Solution
Yes, when someone writes an extension they create a manifest defining the required permissions. So when installing the extension, you explicitly have to agree with these permissions, especially ones like 'Access your data on all websites'.
Extensions are by default bound to the regular sandboxing rules of websites, unless they request more via the manifest, like LastPass does, and Chrome itself does implicitly.
https://stackoverflow.com/questions/18345565
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian