Browser Extension Security

This page covers Browser Extension Security topics. For general PixieBrix security and compliance information, see Security and Compliance

Controlling Access to Hosts/Origins

Access to hosts/origins is controlled via the runtime_blocked_hosts and runtime_allowed_hosts policies. See

The PixieBrix extension requires access to thepixiebrix.com domain and subdomains to function

For example, to only allow PixieBrix to modify the domain, provide the following settings:

runtime_blocked_hosts
- *://*
runtime_allowed_hosts
- https://*.pixiebrix.com
- https://*.example.com

Frequently Asked Questions (FAQs)

What security certifications do you have?

PixieBrix has completed a SOC-2 Type 2 with covering the following trust criteria:

Security
Availability
Confidentiality

Is the browser extension source available?

What browser permissions does PixieBrix's extension require?

Has a 3rd party audited the PixieBrix Browser Extension?

In August 2023, PixieBrix completed the Google Cloud Application Security Assessment (CASA)
The Google Chrome Web Store team reviews the extension prior to publishing in the Chrome Web Store

Could you explain your CRXcavator Extension Risk Report?

CRXcavator is a tool from Duo Security to assess the risk of Browser Extensions automatically. As an automated scanning tool, its results must be put into context due to false positives.

Relative Risk Scores of Other Extensions

The PixieBrix extension is a leader compared to other enterprise automation extensions:

Permissions

The Chrome Web Store team reviews the extension with respect to the stated purpose of each permission.

The main permissions risks flagged by CRXcavator are:

<all_urls> host permission. This permission is required for certain behaviors for compliance use cases (e.g., screenshot capture). As an IT admin, you can set the Chrome Extension policy to override this permission to allow/forbid certain origins
tabs permission. PixieBrix must be able to monitor tab events for navigation and cross-tab messaging/automation. PixieBrix does not transmit/collect information about URLs

Content Security Policy (CSP)

The main CSP risks included in the CRXCavator score are:

connect-src: https: , http: Required for PixieBrix to be able to be make API calls for integrations
frame-src: https:. Required to support embedding iframes in custom panels.
image-src: https:. Required to support embedding logos/images for theming and custom panels
script-src: unsafe-eval:. Required for dynamic page modification and templating. PixieBrix does not request external Javascript

External Communications

CRXcavator scans for URLs/hostnames, including in locations that are not executed/interpreted

reactjs.org: false positive, the React web framework’s documentation site
jsonschema.org: false positive, PixieBrix uses the JSON Schema standard for input and output schemas. It does not connect to the site
app.pixiebrix.com: for API calls to the primary PixieBrix service

PreviousManaged Storage Schema NextNetwork/Email Firewall Configuration

Last updated 1 year ago

Was this helpful?