Security model

Understand what RTO can and cannot do, and why it is designed this way.
Docs updated: 2026-03-24

Deny-by-default allow-list

The extension will only control pages on hosts that were explicitly allow-listed. This prevents accidental automation on the wrong site.

  • Allow-list entries are host-based (example: example.com).
  • On local dev setups you may use host:port (example: localhost:3000).
Practical rule
If you see DOMAIN_NOT_ALLOWED, your first fix is usually: add the host to the allow-list.

In 7.13.0, page-side add requests are visible: the page asks through allowlistAddRequest, then the user confirms on the matching master tab before the host is really added.

Controlled tabs

RTO runs actions only inside a tab it controls. You typically create one with openTab (using a tabKey you choose).

Common errors
If you run a DOM action without a controlled tab, you may get NO_CONTROLLED_TAB or TAB_NOT_FOUND.
  • Controlled tabs now show the visible banner WARNING : This tab is controlled by RTO.
  • Banner state is tracked by the background per controlled tab, not via window.name.
  • Master ownership is tracked per controlled tab, which keeps multi-tab workflows separated.

Rule of thumb: most real flows require allow-list + controlled tab + stable selectors.

Origin handshake (page identity)

RTO uses window.postMessage. To avoid a fixed magic page name (and reduce accidental collisions), the helper sets a page-side identifier:

  • Docs pages usually set window.RTO_PAGE_ORIGIN (example: "rto-docs").
  • The extension replies only to the page origin it saw during the initial handshake/detect (the helpers manage this).
Recommendation
Use RTO_form_api.js so you do not have to manage raw messaging details by hand.

Safe DOM actions (no arbitrary code execution)

DOM automation is done through named actions (click, setValue, getText, …). This is safer than evaluating arbitrary JavaScript on the target page.

  • No generic “eval” channel.
  • Actions validate inputs (tabKey, selector, payload fields) and return structured errors.

Browser security limits

  • The helper scripts run in your page; the extension runs in a different context.
  • Normal web security still applies (same-origin policy, permission prompts, browser internal pages).
  • Some pages cannot be controlled at all (example: browser settings pages).
  • Incognito requires explicit permission (otherwise content scripts do not run there).

Next