[louisbarclay]

Good point. I had that debate with myself. And I concluded that since I'm going to be adding quite a few domains to Unweb in the near future, and since I don't want users to be asked for new permissions every time they install a new version (which is a potential churn point), I preferred to go with the <all_urls> permission for the hiding content script.

This is inline with what similar extensions like Motion (YC W20, http://inmotion.app/) do. But I do really sympathise and I'm sorry that this was a bad experience.

Incidentally there's a cost (aside from user trust) to doing it this way, which is that the Web Store takes far longer to review your extension - which hopefully means they do a good job of checking the permissions aren't being used malevolently.