I am working on a Chrome Extension with a Content Script that sends a Message back to the Background page via chrome.runtime.sendMessage which triggers an action.
Does the Background page only accept Messages from my Content Script, or could it be hacked by a third party script that sends an identical Message in order to trigger the action?
Hope someone can help me, trying to get up to speed, and this is a security concern :)
Only your extension sees these messages.
In order to send the message to another extension you would have to specify its ID explicitly.
In order to receive the message from another extension you would have to declare chrome.runtime.onMessageExternal or chrome.runtime.onConnectExternal listener and that other extension would have to specify the ID of yours explicitly.
The only case when another extension could hijack yours is when that another extension uses chrome.debugger API but in that case Chrome displays a yellow warning on all pages. That warning may be disabled manually via chrome://flags/#silent-debugger-extension-api flag. Theoretically a sophisticated malicious native application may silently alter Local State file in Chrome data folder.