Simon Willison (@simon@simonwillison.net)
fedi.simonwillison.net
It turns out Google Chrome ships a default, hidden extension that allows code on `*.google.com` access to private APIs, including your current CPU usage You can test it out by pasting the following into your Chrome DevTools console on any Google page: chrome.runtime.sendMessage( "nkeimhogjdpnpccoofpliimaahmaaome", { method: "cpu.getInfo" }, (response) => { console.log(JSON.stringify(response, null, 2)); }, ); More notes here: https://simonwillison.net/2024/Jul/9/hangout_servicesthunkjs/
  • tal@lemmy.todayEnglish
    211·
    4 months ago

    Not an area I’m familiar with, but this user says no:

    https://news.ycombinator.com/item?id=40918052

    lashkari 5 hours ago | prev | next [–]

    If it’s really accessible from *.google.com, wouldn’t this be simple to verify/exploit by using Google Sites (they publish your site to sites.google.com/view/<sitename>)?

    DownrightNifty 5 hours ago | parent | next [–]

    JS on Google Sites, Apps Script, etc. runs on *.googleusercontent.com, otherwise cookie-stealing XSS >happens.