|
|
|
|
|
|
by rini17
1856 days ago
|
|
|
This is misunderstanding. Extensions can read any data even with restrictive CSP. Malicious extension then can use other channel than the currently opened tab to exfiltrate them. There are many. Extension users do want the extensions to interact with pages, often including cross-origin requests. That is what extensions are for and they won't work with restricting API surface. |
|
|