# Browser Extension Security {% hint style="info" %} This page covers Browser Extension Security topics. For general PixieBrix security and compliance information, see [Security and Compliance](/enterprise-it-setup/security-and-compliance.md) {% endhint %} ## Controlling Access to Hosts/Origins Access to hosts/origins is controlled via the `runtime_blocked_hosts` and `runtime_allowed_hosts` policies. See [Configure ExtensionSettings policy for more information](https://support.google.com/chrome/a/answer/9867568?hl=en) {% hint style="info" %} The PixieBrix extension requires access to the`pixiebrix.com` domain and subdomains to function {% endhint %} For example, to only allow PixieBrix to modify the [`example.com`](http://example.com/) domain, provide the following settings: * `runtime_blocked_hosts` * `*://*` * `runtime_allowed_hosts` * `https://*.pixiebrix.com` * `https://*.example.com` ## Frequently Asked Questions (FAQs) ### What security certifications do you have? PixieBrix has completed a SOC-2 Type 2 with [A-LIGN](https://www.a-lign.com/) covering the following trust criteria: * Security * Availability * Confidentiality You can find an [overview of our controls on our website's Security page](https://www.pixiebrix.com/security). The SOC-2 includes the browser extension. ### Is the browser extension source available? Yes, the [browser extension is source-available on GitHub](https://github.com/pixiebrix/pixiebrix-extension). ### What browser permissions does PixieBrix's extension require? See our [Extension permissions section of our Privacy Policy](https://www.pixiebrix.com/privacy/#extension-permissions-1). ### Has a 3rd party audited the PixieBrix Browser Extension? * In July 2023, the latest independent penetration test by [A-LIGN](https://www.a-lign.com/) included the Browser Extension in the test scope. The penetration test report is available upon request * In August 2023, PixieBrix completed the Google Cloud Application Security Assessment (CASA) * The Google Chrome Web Store team reviews the extension prior to publishing in the Chrome Web Store ### Could you explain your CRXcavator Extension Risk Report? {% hint style="info" %} [You can view the CRXcavator report here](https://crxcavator.io/report/mpjjildhmpddojocokjkgmlkkkfjnepo?platform=Chrome). {% endhint %} CRXcavator is a tool from Duo Security to assess the risk of Browser Extensions automatically. As an automated scanning tool, its results must be put into context due to false positives. **Relative Risk Scores of Other Extensions** The PixieBrix extension is a leader compared to other enterprise automation extensions: * [UiPath](https://crxcavator.io/report/dkgencfabioofgdmhhjljpkbbchbikbh?platform=Chrome\&new_scan=true): 481 * [Zapier](https://crxcavator.io/report/ngghlnfmdgnpegcmbpgehkbhkhkbkjpj): 436 * [PixieBrix](https://crxcavator.io/report/mpjjildhmpddojocokjkgmlkkkfjnepo?platform=Chrome): 376 * [1Password](https://crxcavator.io/report/aeblfdkhhhdcdjpifhhbdiojplfjncoa?platform=Chrome\&new_scan=true): 293 **Permissions** See the [Extension permissions section of our Privacy Policy](https://www.pixiebrix.com/privacy/#extension-permissions-1) for a full explanation of what permissions our extension requests and why. The Chrome Web Store team reviews the extension with respect to the stated purpose of each permission. The main permissions risks flagged by CRXcavator are: * `` host permission. This permission is required for certain behaviors for compliance use cases (e.g., screenshot capture). **As an IT admin, you can set the Chrome Extension policy to override this permission to allow/forbid certain origins** * `tabs` permission. PixieBrix must be able to monitor tab events for navigation and cross-tab messaging/automation. PixieBrix does not transmit/collect information about URLs **Content Security Policy (CSP)** {% hint style="info" %} CRXcavator evaluates the extension’s Content Security Policy in the manifest. However, sub-components of the PixieBrix extension apply stricter policies where possible. The CRXcavator [describes their point system for the Content Security Policy here](https://crxcavator.io/docs.html#/risk_breakdown?id=content-security-policy) {% endhint %} The main CSP risks included in the CRXCavator score are: * connect-src: `https:` , `http:` Required for PixieBrix to be able to be make API calls for integrations * frame-src: `https:`. Required to support embedding iframes in custom panels. * image-src: `https:`. Required to support embedding logos/images for theming and custom panels * script-src: `unsafe-eval:`. Required for dynamic page modification and templating. PixieBrix does not request external Javascript **External Communications** {% hint style="info" %} CRXcavator scans for URLs/hostnames, including in locations that are not executed/interpreted {% endhint %} * reactjs.org: false positive, the React web framework’s documentation site * jsonschema.org: false positive, PixieBrix uses the JSON Schema standard for input and output schemas. It does not connect to the site * app.pixiebrix.com: for API calls to the primary PixieBrix service --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.pixiebrix.com/enterprise-it-setup/browser-extension-installation-and-configuration/browser-extension-security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.