Security model

Understand what RTO can and cannot do, and why it is designed this way.

Docs updated: 2025-12-17

Deny-by-default allow-list

The extension will only control pages on hosts that were explicitly allow-listed. This prevents accidental automation on the wrong site.

Practical rule

If you see DOMAIN_NOT_ALLOWED, your first fix is usually: add the host to the allow-list.

Controlled tabs

RTO runs actions only inside a tab it controls. You typically create one with openTab (using a tabKey you choose).

Common error

If you run a DOM action without a controlled tab, you may get NO_CONTROLLED_TAB or TAB_NOT_FOUND.

Safe DOM actions (no arbitrary code execution)

DOM automation is done through named actions (click, setValue, getText, …). This is safer than evaluating arbitrary JavaScript on the target page.

Browser security limits

The helper scripts run in your page; the extension runs in a different context.
Normal web security still applies (same-origin policy, permission prompts, browser internal pages).
Some pages cannot be controlled at all (example: browser settings pages).

Allow-list
Messaging protocol (if you want to understand raw messages)

← Getting started

Allow-list →

Security model

Deny-by-default allow-list

Controlled tabs

Safe DOM actions (no arbitrary code execution)

Browser security limits

Next