Hello, I hope this is in the right area…
I wonder, why so many Add-Ons need to access all website data.
Like passwords, username…
Does that not open the doors for the Add-On to send this data to somone who should not have that?
BR
Yes, there is a risk with using an extension that accesses page content. Is it always necessary? It depends on the function of the extension.
You can authorize “current page” access by clicking a button or choosing a context menu item. This does not require “all sites” access. However, in some cases, this is not enough due to the site’s use of images or scripts embedded from other servers, or you want an extension to perform a function automatically without your having to click a button or menu item every time. In those cases, pre-authorizing access by granting “all sites” permission often is necessary.
As for what an extension can do once it has access to a page, yes, it could watch your form entries to learn your logins (as far as I know, this is the only way to capture that data, unless the site exposes it in plain text on one of their pages). But imagine you disabled the extension while you are logging in, so it can’t capture what you entered into the login form. There are lots of other bad things an extension could do. How could you ever be comfortable using one?
There are some screening features in place that filter extensions with obviously problematic behaviors, and bad actors constantly try to find workarounds. It is difficult to be assured of the safety of any extension, other than those in the “Recommended” program which receive more extensive reviews. Otherwise, you have to consider the developer and reviews, and balance your need for a function against the risk.
1 Like