Just a quick project I did to verify some concerns with extensions in chrome having access to all secure/httpOnly cookies (on domains they have requested access to)

manifest.json 298B

12345678910111213141516
  1. {
  2. "manifest_version": 2,
  3. "name": "Sandbox Tester",
  4. "version": "0.1",
  5. "browser_action": {
  6. "default_icon": {
  7. "16": "icon-yellow.png"
  8. },
  9. "default_title": "security-test",
  10. "default_popup": "main.html"
  11. },
  12. "permissions": [
  13. "cookies",
  14. "*://*.facebook.com/"
  15. ]
  16. }