[paulpauper]

Read is not the same as send to external server. this is a big deal. it makes phishing incredibly easy and impossible to detect.

The ability of extensions to log form data to external servers allows for massive potential abuse. Not sure why Google would allow it. I imagine millions of logins have been stolen this way.

[thinkcontext]

Most extensions of any usefulness require these 2 permissions. How else would something like adblocking or a login manager work?

[detaro]

An adblocker is a good counter-example: it could work with an API that tracked the page changes and stopped e.g. JS or images inserted by the extension from loading. Even when editing the DOM, it has no need to load anything externally. Sounds possible, but I'm not sure how big the overhead of extending the DOM like that would be.

You probably could still create interactions with on-site JS that leak data sometimes, so it wouldn't be perfect, but that's page-specific and a lot more work.

[thinkcontext]

That would break a sizable amount of the web, eg, Youtube embeds.

[detaro]

How would an optional feature, for extensions only break the web? I'm not talking about changing the security policies in general.