It turns out Google Chrome ships a default, hidden extension that allows code on `*.google.com` access to private APIs, including your current CPU usage
You can test it out by pasting the following into your Chrome DevTools console on any Google page:
chrome.runtime.sendMessage(
"nkeimhogjdpnpccoofpliimaahmaaome",
{ method: "cpu.getInfo" },
(response) => {
console.log(JSON.stringify(response, null, 2));
},
);
More notes here: https://simonwillison.net/2024/Jul/9/hangout_servicesthunkjs/
@simon Not knowing how '*' is implemented, I'm concerned that it might it used on other websites matching `*.google.com`, such as https://my.malevolence.site/.google.com.
@xgebi The format used in the extensions system specifically checks against the hostname.
The source code is here: https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/core/url_pattern/url_pattern.h;l=26?q=URLPattern&sq=&ss=chromium%2Fchromium%2Fsrc
@mauve thanks