For security considerations I am wondering if Chrome extensions had access to an app. I design a Chrome App which handles sensitive data. As far as I understand it, that app runs in a sandboxed environment which should be fairly isolated. If a user had by mistake installed a malicious Chrome extension, would that extension be able to intercept/modify any of the sensitive data in the app?

Please note that I do not consider other ways of interceptions outside of the Chrome environment, e.g. some virus that allows someone to get root access or alike. I would just like to understand to what degree a Chrome app is more susceptible to interception than a standard stand-alone application.

Sebastian

On one hand, extensions cannot touch your app's windows (as in, inspection / script injection) in the default environment, even with "debugger" permission. Your "local" data should be safe.

On the other, I tested it and conclude that webRequest API will catch all XHRs you send.

This includes headers for both request and response, and request body. Response body is currently not available for inspection; however, a malicious extension can perform a redirect, modify your request or cancel it.

This was deemed a security issue; as of Chrome 45, extensions can no longer intercept traffic from other extensions and apps. Hosted apps were accidentally included too, but it's a bug that will be fixed soon - traffic from hosted apps will be open to webRequest as normal.

I don't know any other possibility for an extension to snoop on an app (without any anomalous chrome://flag configuration).

Extensions or other apps cannot access data inside other extensions or apps. An exception may be data in the syncFileSystem api, since an extension could be granted access to the user's Gdrive.