Most browser extensions seem to require access to one's browsing history and keystrokes, even for legitimate functioning. Is there any way to ensure that they do only what they claim to do, and don't abuse the permissions? (Apart from verifying the source code, because clearly, lines of junk code >> interested eyeballs).
For example, would it be reasonable to enforce that an extension only acts locally, and cannot communicate with any external server? (I guess allowing arbitrary local modifications essentially allows the extension to execute arbitrary javascript code, including communicating with arbitrary remote entities?)
Yes, it's very hard to block that, since even if you block XHR from their JavaScript code, by changing the page DOM they can inject elements that communicate with a server.
> ... Firefox extensions are written in JavaScript too and NoScript doesn't block scripts living outside web pages (i.e. the browser components, included extensions) ...
For example, would it be reasonable to enforce that an extension only acts locally, and cannot communicate with any external server? (I guess allowing arbitrary local modifications essentially allows the extension to execute arbitrary javascript code, including communicating with arbitrary remote entities?)