It turns out Google Chrome (via Chromium) includes a default extension which makes extra services available to code running on the `*.google.com` domains - tweeted about today [by Luca Casonato](https://twitter.com/lcasdev/status/1810696257137959018), …
Simply noone ever looked and it’s not documented. And the api is locked to work only on google domains so it wasn’t usable to anyone to accidentally notice what’s going on.
The code doesn’t do anything on non-Google domains.
Luca says this - I’m inclined to agree:
This is interesting because it is a clear violation of the idea that browser vendors should not give preference to their websites over anyone elses.
Follow up question: How many other parts of the chromium codebase limited to work on (maybe other) specific domains?
The code doesn’t do anything on non-Google domains.
A Google engineer adds a piece of code, does not document what exactly it does, and it was approved without question. Something is seriously wrong with this or I don’t know how the Chromium project works.
In the comments its not just chrome that is affected.
Its apparently all Chromium browsers.
Isn’t chromium open source? How are the APIs a secret?
Simply noone ever looked and it’s not documented. And the api is locked to work only on google domains so it wasn’t usable to anyone to accidentally notice what’s going on.
Follow up question: How many other parts of the chromium codebase limited to work on (maybe other) specific domains?
A Google engineer adds a piece of code, does not document what exactly it does, and it was approved without question. Something is seriously wrong with this or I don’t know how the Chromium project works.