Comment on page
Browser Extension Security
- In August 2023, PixieBrix completed the Google Cloud Application Security Assessment (CASA)
- The Google Chrome Web Store team reviews the extension prior to publishing in the Chrome Web Store
CRXcavator is a tool from Duo Security to assess the risk of Browser Extensions automatically. As an automated scanning tool, its results must be put into context due to false positives.
Relative Risk Scores of Other Extensions
The PixieBrix extension is a leader compared to other enterprise automation extensions:
The Chrome Web Store team reviews the extension with respect to the stated purpose of each permission.
The main permissions risks flagged by CRXcavator are:
/*host permission. PixieBrix includes support for running on any page/calling any API. As an IT admin, you can set the Chrome Extension policy to override this permission to allow/forbid certain origins
<all_urls>host permission. This permission is required for certain behaviors for compliance use cases (e.g., screenshot capture). As an IT admin, you can set the Chrome Extension policy to override this permission to allow/forbid certain origins
tabspermission. PixieBrix must be able to monitor tab events for navigation and cross-tab messaging/automation. PixieBrix does not transmit/collect information about URLs
Content Security Policy (CSP)
CRXcavator evaluates the extension’s Content Security Policy in the manifest. However, sub-components of the PixieBrix extension apply stricter policies where possible. The CRXcavator describes their point system for the Content Security Policy here
The main CSP risks included in the CRXCavator score are:
https:. Required for PixieBrix to be able to be make API calls for integrations
https:. Required to support embedding iframes in custom panels.
https:. Required to support embedding logos/images for theming and custom panels
CRXcavator scans for URLs/hostnames, including in locations that are not executed/interpreted
- reactjs.org: false positive, the React web framework’s documentation site
- jsonschema.org: false positive, PixieBrix uses the JSON Schema standard for input and output schemas. It does not connect to the site
- app.pixiebrix.com: for API calls to the primary PixieBrix service