[vbcr]

Why does the browser even allow any toolbar/extension to modify the content that was delivered on a HTTPS connection. Isn't the data that is delivered over HTTPS pristine that it should not be modified at the browser endpoint by the browser.

I am a layman in security and do not understand a lot of this. May be I missed something here. Is my question correct?

[jacquesm]

Not all HTTPS connections are to your bank.

You're probably reading this page using https and there are quite a few extensions to modify the look and feel of hackernews.

Changing on-page content is just about the only reason extensions exist in the first place. Without that you could retire just about all of them.

[epel]

Extensions MUST be able to modify content. Think about noscript or adblock - if ads were served over https, and you were not allowed or could not technically block them? If analytics trackers were all over HTTPS and can't be blocked or disabled?