Are there any known security downsides?
Created by: RoxKilly
I understand how intercepting network requests and injecting JS script instead would increase speed and enhance privacy (reduce the opportunity for tracking). A short FAQ on how this works would be really helpful, for people who are technically literate enough to understand the technology, but don't feel comfortable reading code. For instance after a bit of research, I still have the following questions:
- One benefit of contacting the origin server, especially over
https
connections, is the guarantee that the script is authentic. Given that this extension would not communicate with the origin server, are there safeguards in place to check the integrity of script before injecting it? Is it possible for another application to modify the scripts in the local cache in order to get malicious script executed? - How does Private Browsing impact this extension? I know that the browser clears its cache after a private browsing session, but extension settings are preserved.
- When are the scripts downloaded? And are they saved as
.js
files on the user's hard drive? - Is there any mechanism to check whether a local copy is outdated? Or does the add-on assume that script at a given URL never changes?