> The researchers explain that the problem concerns the systemic practice of giving browser extensions unrestricted access to the DOM tree of sites they load on<p>Ofcourse.<p>> Your data on all the websites you visit gives access to read, request or modify data from every page you visit (bank account, Facebook).<p><a href="https://support.google.com/chrome_webstore/answer/186213?hl=en#zippy=%2Chigh-alert%2Cmedium-alert" rel="nofollow noreferrer">https://support.google.com/chrome_webstore/answer/186213?hl=...</a><p>If extension can modify your dom, well guess what - it can attach event listeners, it can make password to be posted to pastebin and so on.<p>That's why I don't install extensions that I don't trust that ask for this level of permissions.
Seems like a non-story. This is obviously by design.<p>Extensions may need to access the DOM, including password and other sensitive fields (e.g. for autofill and password managers).<p>That's indeed what Google has said in response:<p>>A Google spokesperson has confirmed that they're looking into the matter, and pointed to Chrome's Extensions Security FAQ that does not consider access to password fields a security problem as long as the relevant permissions are properly obtained.