| ▲ | zahlman 3 hours ago | |
Doesn't the browser know which script it's running? Why can't it just deny access to the specified path, except to the extension itself? | ||
| ▲ | cxr 3 hours ago | parent [-] | |
It does by default, except for the files from the extension that the extension author has explicitly designated as content-accessible. It's explained ("Using web_accessible_resources") at the other end of the link. | ||