[palant]

Yes, I didn't bother expanding this further. Spoofing Keybase UI would still be possible, but users would notice that their message doesn't get sent. Still, the only complete solution would be to delegate even the initial message to the app rather than asking uses to enter it on the webpage. Unfortunately, browsers don't let extensions open trusted UI at will...

[orf]

Sure they do, you just get a prompt saying 'you sure you want to open keybase?', with the option to skip this prompt in the future

[palant]

By "trusted UI" I meant user interface within the browser that clearly doesn't belong to the webpage - such as the browser action's pop-up. As I said, an extension like Keybase could delegate this action to their app. Other extensions don't have this option because they don't have a native component. This is the reason why so many have implemented questionable or outright insecure solutions.