[mastef]

Sometimes extensions plan such things a long time ahead - for example this extension https://chrome.google.com/webstore/detail/bitcoin-litecoin-e... injects itself currently into all websites, and sends the url back to its own background page.

So once they are ready to add malicious code in the future to pass that information somewhere else, no permission changes will be required.

Before downloading any extensions, I usually inspect them quickly with https://chrome.google.com/webstore/detail/chrome-extension-s...

Most important parts are "manifest.json" and then if defined then content scripts that match catch all urls and "https://*/*" / "http://*/*.

[mmsimanga]

Thank you for the information. Very helpful.