Tens of thousands of Google Chrome extensions accessible from the official Chrome Online Store manipulate security headers on major websites, posing the danger of web attacks for visitors.
Although the security headers are little known, they are a vital aspect of the present internet ecosystem. A key component of website security is the HTTP security header. When implemented, it protects users against the kinds of attacks most probably happening on the website. These headers protect XSS, injection code, clickjacking, etc.
In many other cases, as per the research team, they examined CSP and other security headers, deactivated Chrome extensions “to introduce additional seemingly benign functionalities on the visited web page,” and didn't even look like it was nefarious in purpose. That is because Chrome's framework forces extensions in the name of security to do that, paradoxically. Standard extension code could access the DOM page, but no scripts on the page can interact.
If a user has access to the website, the browser requests the webpage of a server. While websites per se are presented through HTML, JavaScript, and CSS code, website owners can direct the browser to handle the provided material in various ways by adding additional parameters in the HTTP connection header.
While not all websites have security headers, many of today's leading Web services commonly incorporate them to protect their customers against attacks, as they frequently face more web-based attacks than conventional sites, because of their larger size.
Although website managers are configuring their security headers, this does not mean that security headers are still in existence at the client-side where such things can be detected and prevented ..
Support the originator by clicking the read the rest link below.
