Ubc Workday Side By Side

Name: Security Analysis: Ubc Workday Side By Side
Item: Ubc Workday Side By Side
Rating: 5
Author: ChromeBoard

🔍 Security Report Available

👥 10K+ users

📦 v3.0.1

💾 663KiB

📅 2026-03-09

View on Chrome Web Store

Chrome will indicate if you already have this installed.

Overview

Calendar for the new UBC Workday course selection.

Privacy Practices

✓ Not being sold to third parties, outside of the approved use cases

✓ Not being used or transferred for purposes that are unrelated to the item's core functionality

✓ Not being used or transferred to determine creditworthiness or for lending purposes

v3.0.1 Info Scanned Mar 10, 2026

Security Analysis — Ubc Workday Side By Side

Analyzed v3.0.1 · Mar 10, 2026 · 2 JS files · 1270 KB scanned

Permissions

Code Patterns Detected

External Connections

reactjs.org www.w3.org wd10.myworkday.com www.ratemyprofessors.com github.com ubcgrades.com www.andismith.com electronjs.org html.spec.whatwg.org www.google.com discord.gg

Package Contents 12 files · 3.2MB

▾📁_metadata2KB

{}verified_contents.json2KB

▾📁build3.2MB

▾📁background101KB

📜index.js39KB

📄index.js.map61KB

▾📁content3.1MB

🎨index.css19KB

📄index.css.map33KB

📜index.js1.2MBlarge

📄index.js.map1.9MB

🖼logo128.png12KB

🖼logo16.png616B

🖼logo32.png2KB

🖼logo48.png3KB

{}manifest.json1KB

What This Extension Does

The 'Ubc Workday Side By Side' extension is a productivity tool designed to assist University of British Columbia students with course selection by displaying calendar data alongside the official Workday interface. It operates on Manifest V3 and integrates with both Workday and RaterMyProfessors domains to provide contextual information. While primarily functional, it requests broad access to specific university systems and third-party review sites, which introduces a moderate privacy risk regarding the exposure of academic schedules and personal cookies.

Permissions Explained

storageexpected: Allows the extension to save your settings, preferences, and temporary data within the browser so it remembers how you want the side-by-side view to look.
Technical: Accesses chrome.storage.sync and chrome.storage.local APIs. Data is encrypted at rest in Chrome's profile directory but remains accessible to other extensions with storage permissions if not strictly scoped.
cookiescheck this: Grants the extension access to all cookies stored by websites you visit. This is necessary for it to log you into Workday and display your specific course data, but it also means it can see login tokens for other sites.
Technical: Accesses document.cookie and chrome.cookies APIs. High risk if compromised as it could harvest session tokens from any site the user visits, not just Workday, unless strictly filtered by content scripts. ⚠ 1
*://*.myworkday.com/*expected: Allows the extension to read and modify data on any page within the Workday domain. This is required to inject the calendar view into your existing course selection pages.
Technical: Host permission for 'myworkday.com'. Enables content script injection and network request interception via declarativeNetRequest. If compromised, an attacker could potentially read sensitive HR data or modify page elements to perform phishing attacks.
*://*.ratemyprofessors.com/*check this: Permits the extension to access RaterMyProfessors pages. This is likely used to pull professor ratings or reviews into your course planning view.
Technical: Host permission for 'ratemyprofessors.com'. Allows reading of page content and cookies on this third-party site. While less sensitive than Workday, it exposes browsing habits regarding academic research to the extension developer. ⚠ 1
declarativeNetRequestexpected: Enables the extension to block or modify network requests. This is typically used to load custom stylesheets or scripts needed for the side-by-side view.
Technical: Uses chrome.declarativeNetRequest API with static rules. Generally safe as it cannot dynamically change rules at runtime, but combined with host access, it can alter page rendering logic.
declarativeNetRequestWithHostAccesscheck this: A more powerful version of request blocking that allows the extension to modify network requests on specific sites you visit (like Workday).
Technical: Requires host access to use declarativeNetRequest. Allows dynamic rule application and potential interception of sensitive data in transit before it reaches the server. ⚠ 1

Your Data

The extension accesses your browser cookies and page content specifically on Workday and RaterMyProfessors. It communicates with various external services including ReactJS, Google, GitHub, and Discord, likely for updates or analytics.

Technical Details

Outbound connections observed to: reactjs.org, www.w3.org, wd10.myworkday.com, www.ratemyprofessors.com, github.com, ubcgrades.com, www.andismith.com, electronjs.org, html.spec.whatwg.org, www.google.com, discord.gg. Data types exposed include session cookies, page DOM content (course lists), and potentially user input data via postMessage. Encryption status for outbound HTTPS is standard, but the broad host access creates a large attack surface.

Code Findings

Broad Host Access to Third-Party Review SiteMedium

The extension requests permission to read and write data on RaterMyProfessors, a site unrelated to your university accounts. This is unnecessary if the extension only needs to display static ratings.

Technical: Permission '*://*.ratemyprofessors.com/*' combined with 'declarativeNetRequestWithHostAccess'. Risk vector: If the extension code is compromised or contains malicious logic, it could harvest browsing history on this domain or inject tracking scripts.

💡 Extensions often need host access to fetch external data (like ratings) to display them alongside internal data.

Unrestricted Cookie AccessHigh

The extension has permission to read cookies from any website you visit, not just Workday. If this extension were malicious or hacked, it could steal your login sessions for other sites.

Technical: Permission 'cookies' without specific host restrictions in the manifest (or with broad host access). Attack scenario: Cross-site request forgery (CSRF) attacks become easier if an attacker controls the extension's background script to read stolen tokens.

💡 Required for maintaining user session state within the target application (Workday).

Missing Content Security PolicyMedium

The extension does not enforce a strict security policy on its own code. This means if an attacker manages to inject malicious code into the extension, it can run with full privileges.

Technical: Manifest analysis shows 'Content Security Policy: not set'. Without CSP directives like 'script-src', the browser relies on default permissive policies for extension contexts, increasing the risk of XSS if the extension is updated with vulnerable code.

💡 Some developers omit CSP to ensure maximum compatibility with various content scripts and dynamic loading scenarios.

Cross-Origin Communication via postMessageInfo

The extension uses a standard method to talk to other websites. While generally safe, it requires users to be careful about what data they send between tabs.

Technical: Uses window.postMessage API for cross-origin messaging. This is the standard mechanism for content scripts to communicate with background scripts or other origins. Risk exists if the origin checking logic is flawed, allowing unauthorized data leakage.

💡 Essential for extensions that need to update the UI in one tab based on actions taken in another or by a background service worker.

Bottom Line

The 'Ubc Workday Side By Side' extension is a functional tool for students but carries moderate privacy risks due to its broad access to cookies and third-party sites like RaterMyProfessors. While the permissions are technically necessary for its core function of overlaying data, the lack of strict content security policies and the inclusion of non-essential third-party host access suggest that users should review their browser settings or consider alternative methods if they are concerned about data exposure beyond the Workday domain.