[robryk]

You can always exfiltrate by inserting stuff into the page's DOM that will do the exfil from the page's context.

[aembleton]

Should have a seperate permission to modify the DOM. This extension only needs to read the DOM.

[teruakohatu]

Yes, a network access and DOM write permission should be one and the same. I think the reason it isn't done is because there are so many ways to leak data over a network. If the extension can trigger a DNS lookup somehow, it can exfiltrate data.

Android used to have a network permission but Google removed it.

[beeboobaa3]

> Android used to have a network permission but Google removed it.

That's because google is in the ads business and wants apps to always be able to exfiltrate data to google (google analytics, google ads, etc) & display ads without needing additional permissions.

Having a network permission means there is an incentive for apps to not have the network permission which means they can't load ads. And Google wants you to look at their ads.

[pastage]

I block all external resources on my pages, but sure it works well in most places! It think the default policy should be block on most pages.

[gtsteve]

I would hope that high value target sites such as banks would implement CSPs to prevent that or make it more difficult though.

[pigeonhole123]

You can save the data and exfiltrate through a site without CSP