Content scripts run in the context of every web page the user visits, giving them direct DOM access to password fields, credit card inputs, and API key fields. Automatically reading these values — even for seemingly benign purposes like autofill — is classified as unauthorized data access under OWASP 2021 A02 and CWE-200. A compromised extension or malicious update can silently exfiltrate credentials at scale across every site the user visits. The Chrome Web Store User Data Policy explicitly prohibits capturing sensitive fields without user initiation; violations result in immediate takedown and potential account termination.
Critical because automatic DOM capture of password or credit card fields enables credential theft at browser scale — an attacker who compromises the extension gains silent keylogger capability across every site the user visits.
Remove all automatic sensitive field access from content scripts. If your extension must interact with credential fields, require a preceding user gesture:
// content.js — only activate on explicit user click
document.addEventListener('click', (e) => {
if (e.target.matches('input[type="password"]')) {
if (confirm('Allow extension to read this field?')) {
const value = e.target.value;
// process value
}
}
});
For legitimate credential management, use the browser's native Credential Management API with explicit user consent rather than direct DOM reads.
ID: extension-data-privacy.data-collection.no-sensitive-dom-capture
Severity: critical
What to look for: Examine content scripts for patterns that read sensitive form fields (password inputs, credit card fields, SSN fields, API keys) from the DOM. Look for JavaScript accessing <input type="password">, credit card field patterns, or high-value data without user-initiated action. Check whether the extension auto-fills or submits forms containing sensitive data.
Pass criteria: Enumerate all content script files and list all DOM access patterns in each. Content scripts do not capture passwords, credit card numbers, or API keys from form fields. If the extension interacts with sensitive fields, it only does so in response to explicit user action. At least 100% of sensitive field interactions must be user-initiated.
Fail criteria: Content scripts automatically read or log sensitive form fields without user interaction. Password fields, credit card inputs, or other high-risk data are accessed in background monitoring or periodic scanning. Must not pass when any querySelector('input[type=password]') access lacks a preceding user event handler.
Cross-reference: For script injection patterns that could also capture DOM data, see the no-script-injection check in the Privacy Disclosures category.
Skip (N/A) when: The extension does not interact with forms, or it is a password manager / credential storage tool with explicit user permission to handle credentials.
Detail on fail: Describe the sensitive field capture. Example: "Content script periodically scans for password input fields and logs their values to console" or "Auto-complete feature reads credit card field values and sends them to external service."
Remediation: Remove automatic sensitive field capture. If your extension needs to work with sensitive data, require explicit user action:
// In content script
document.addEventListener('click', (e) => {
if (e.target.type === 'password') {
// Prompt user first
if (confirm('Process this password field?')) {
// Only then proceed
}
}
});
Or use the browser's credential management API with explicit consent.