Browser extensions have much looser security than you would think: any extension, even if it just claims to change a style of a website, can see your input type=password fields - it's ludicrous that access to those does not need its own permission !

▲

sebzim4500 7 hours ago | parent | next [-]

It's hard to see how you would implement that, any script run within the context of the page needs access to these fields for backwards compatibility reasons, so the context script of the extension would just need to find a way of running code in the context of the page to exfiltrate the data. It could do this by adding script tags, etc.

▲

throwaway0665 7 hours ago | parent [-]

Browsers break backwards compatibility for security all the time. Most recently Chrome made accessing devices on a local network require a permission. They completely changed the behavior of cookies. They break loads of things for cross origin isolation.

	▲	sebzim4500 7 hours ago \| parent [-]
		Sure, but this would break a significant portion of sign in UIs.

▲

drdec 5 hours ago | parent | prev [-]

Even scripts within the page itself cannot read the value of password input fields. This is less of an issue than you are presenting it as.

	▲	Valodim 5 hours ago \| parent [-]
		...uhh, yes they can? Are you talking about input type=password fields, i.e. the ones 99% of passwords are entered in?