Technical risk

Browser extension security

Browser extensions need narrow permissions, careful content script boundaries, and strict message validation.

Focus 1

Host-permission overreach

Request the smallest possible host permissions and use activeTab where feasible.

Focus 2

DOM injection

Avoid unsafe HTML injection and sanitize any content crossing page-extension boundaries.

Focus 3

Message passing

Validate sender origin, schema, and intent before acting on messages.

Focus 4

Storage

Do not place credentials or long-lived secrets in localStorage or extension storage.

Focus 5

Remote code

Avoid remote code loading and unsafe-eval CSP exceptions.

Focus 6

Tab capture

Use explicit consent and clear purpose limits for capture capabilities.