[g947o]

> extensions could just load external scripts and there's no way you could tell what they were actually doing.

I do think security researchers would be able to figure out what scripts are downloaded and run.

Regardless, none of this seems to matter to end users whether the script is in the extension or external.

[reddozen]

nothing stopping server side logic: if request.ip != myvictim, serve no malicious payload.

[johncolanduoni]

Even if the extension isn’t malicious, it creates a new attack vector that can affect users. If whatever URL the script is remotely loaded from is compromised, now all users of that extension are vulnerable.