Steven Palinkas Steven Palinkas - 4 months ago 14
Ajax Question

Privacy - Track Chrome extension's outgoing AJAX queries

Is there any possible way to track a Chrome extension's outgoing network communication from a website?

Let's assume, that a Chrome 'content script' extension sends AJAX queries to a server on a specified IP to create custom analytics. This extension works in the browser while the user browses through various websites.

Is there any possibility for these websites to track what the extension does ( that it opens AJAX ) or where it sends data to? ( To which IP it was trying to send AJAX query )

UPDATE

To be clear, I am curious about an independent third-party website's tracking abilities, not the extension-user's.

UPDATE

More clarification: the extension is sending request to a server not related to the servers/websites the user is browsing.

EXAMPLE

User is browsing Youtube, and Facebook daily. This extension sends AJAX queries to a storage server where the user's visited URL-s are stored. ( Youtube and Facebook ). What I would like to know is, does f.e. Facebook know, that this extension does this, and what's the IP of the storage server?

Xan Xan
Answer

Basically, no, because of the concept of isolated world. Emphasis mine:

Content scripts execute in a special environment called an isolated world. They have access to the DOM of the page they are injected into, but not to any JavaScript variables or functions created by the page. It looks to each content script as if there is no other JavaScript executing on the page it is running on. The same is true in reverse: JavaScript running on the page cannot call any functions or access any variables defined by content scripts.

So if you were thinking of doing something like overriding XMLHttpRequest, this would not work, as a content script has a "safe harbour" you can't touch.

And that's even before the possibility to delegate network operations to the background script, which is a completely different origin.

There is an exception to this: an extension can sometimes inject code directly into the page context. Then it coexists with the website JavaScript and in theory one can spy on another. In practice, however, an extension can execute its code before any of the website's code has a chance to react, and therefore stealth / shield itself from interference.