Thousands of Chrome extensions are tampering with security headers
Thousands of Google Chrome extensions available on the official Chrome Web Store are tampering with security headers on popular websites, putting users at risk of a wide range of web-based attacks.
Whenever a user accesses a website, the browser makes a request to a server, which then delivers the website. While the websites per-se are displayed through HTML, JavaScript, and CSS code, website administrators can add additional settings in the HTTP connection header to instruct the user’s browser to treat the delivered content in a certain way.
Security headers are a type of HTTP response that have been created across the years by internet standards groups to allow website administrators to activate and customize security features inside the user’s browser or other client applications.
Some of the most common security headers in use today are typically employed by website operators to make sure that their site works via an encrypted HTTPS connection, that users are protected from cross-site scripting attacks, or that code running inside iframes can’t steal their browser data.
/cdn.vox-cdn.com/uploads/chorus_asset/file/23935561/acastro_STK103__04.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/24371483/236494_Mac_mini__2023__AKrales_0066.jpg)
