| ▲ | coldtea 5 hours ago | |
Can extensions: be scoped, meaning only allowed to read/access when you visit a particular domain whitelist (controlled by the user)? be forced (by the extension API) to have a clear non-obfuscated feed of whatever they send that the user can log and/or tap onto and watch at any time? If not, I wouldn't touch them with a 10000ft pole. | ||
| ▲ | notpushkin 4 hours ago | parent [-] | |
> be scoped Yes. Not usually user-controllable though. > be forced to have a clear non-obfuscated feed Kinda. You can usually open a devtools instance that shows whatever the extension is doing. But you can’t enforce it to not obfuscate the network requests though (you’d have to make extensions non-Turing complete). You could mitigate some of these issues by vetting the extensions harder before letting them into the stores. Mozilla requires all extensions to have a readable source code, for example. | ||