[Asuchug4]

It is almost a 'stopping problem'. You can send any data by sending GET with data encoded in url path, without any query string. How is any sandbox supposed to detect if you are sending data or really just getting information (like updating adblock list).

[aembleton]

The url path shouldn't change on each call, so ask the user to whitelist each request the first time that they are made. Subsequent GET requests to the same endpoint and same params can go through without a prompt.