Not sure what functionality their extension has, but this is pretty hard to avoid. To run javascript you can basically do whatever you want — so the browsers let users know that. I wish the security could be more fine grained, but I’m not sure that’s possible.
Edit: Looked at the extension and maybe it could limit itself to social network domains though.
Are you sure that's current? I made an extension (just for myself) a few months back and I could restrict the domains via the permissions array in the manifest.json
This then in turn populates the list of sites in the extension settings where you can choose to deny access to the aforementioned websites listed in the manifest
Oh sorry, yes I am mistaken (been a while for me). I guess a lot of developers just use permissions "host": " * " because it's easier...
What extension did you make? I made [1] an extension a while ago, and spent more time than I'd care to admit. Now that I think about it, I used "host": " * " too! (even though it's necessary for that particular extension)...
Hey neat! See your extension would obviously need access to all sites to check against reddit/HN so that makes sense.
My extension wasn't published, it was targeted to a specific site (so could narrow the scope of the permissions) and was just set up to allow downloading of images individually (via an overlayed button) and an album as a zip. Pretty legal grey area hence me not publishing it.
Edit: Looked at the extension and maybe it could limit itself to social network domains though.