Privacy & Security
Remote Tab Opener is local-first, transparent, and permission-conscious.
No backend · No cookie access · No network interception · Allow-listed domains only
Docs updated:
Firefox MV3 ✓ · Chrome MV3 ✓ (build-dependent)
1) Privacy principles
- Local-only: the extension does not send data to any server.
- Explicit consent: actions run only on domains you add to the Allow-list yourself.
- Least privilege in practice: tab control uses standard extension permissions, and runtime actions are gated by an explicit allow-list policy.
- No eavesdropping: no cookie access, no network interception, no arbitrary code eval.
- Transparency: clear events and errors are posted back to your admin page.
2) Browser permissions (what they mean)
| Permission | Why it’s needed | What we do not do |
|---|---|---|
tabs, activeTab |
Create, update, and focus the targeted tab; read URL/title to reflect state in your UI. | No “tab spying” beyond your targeted controlled tabs; no background scraping. |
storage |
Store small local preferences (favorites, Allow-list, feature toggles). | No syncing to servers; no profiling. |
| Host access (content scripts) | Run predefined DOM actions on hosts that you explicitly allow through the extension policy. | No SOP bypass; no arbitrary cross-site scraping. |
Note: Permissions are declared on install and described on the store listing. The extension does not add hidden capabilities at runtime.
3) Data handling (plain language)
- No collection, no transmission. All actions run locally in your browser.
- No cookie or site-storage access. DOM actions operate on the rendered page only, under explicit host permission.
- Local messages only. Status is relayed to your admin page via
window.postMessage+ extension messaging — never to external servers.
4) Allow-list model
You stay in control: the extension acts only on domains you approve.
- Add or remove domains from the extension popup (browser toolbar).
- Prefer explicit hosts; avoid broad wildcards unless you truly need them.
- When an action fails with
DOMAIN_NOT_ALLOWED, add that host, then retry.
A web page can only request an allow-list addition. Final consent still comes from you through a visible confirmation step (matching master tab flow) or by managing hosts in the popup. For localhost/LAN usage, you must also enable the dedicated “localhost/LAN” flags (double barrier).
5) Local storage (what lives where)
| Item | Scope | Lifetime | Notes |
|---|---|---|---|
| Allow-list | Extension storage | Until you change it | Editable from popup; never uploaded. |
| Favorites | Extension storage | Until cleared | Optional quick-access URLs. |
| Feature toggles | Extension storage | Until cleared | Example: localhost/LAN opt-in flags (build-dependent). |
| UI state (banner) | Controlled tab state | Until tab closed | Minimized/positioned indicator (when enabled). |
| Demo logs | Page memory | Until refresh | Visible in the on-page console only. |
6) Security boundaries
- SOP respected: actions run inside the target tab’s context; injection only occurs on allow-listed hosts.
- No arbitrary code execution: only documented tab + DOM commands are exposed (deny-by-default).
- Command surface is explicit: tab control (open/navigate/focus/close/getUrl/listTabs/adopt/release) and DOM actions (wait/click/type/read bounded outputs).
Sanitized extraction: HTML/text reads are bounded. Sensitive inputs (e.g., password/hidden/credential-like fields) are blocked or redacted. Where applicable, serialization avoids leaking live input values.
7) Your controls
- Stop anytime: close the controlled tab or stop your flow.
- Edit Allow-list: remove a host in the popup to block future actions on it.
- Clear data: remove the extension or clear its storage from browser settings.
8) For developers (ship privacy-friendly flows)
- Gate flows with a
detectcheck; hide remote actions until ready. - On
DOMAIN_NOT_ALLOWED, show the exact host to add + a “Try again” button. - Keep logs technical and minimal; don’t print user secrets.
Tip: Add a quick self-check:
detect → openTab → getUrl, fail fast if misconfigured.
Need help writing safe flows?9) Privacy FAQ
| Question | Answer |
|---|---|
| Do you send data to a server? | No. The extension is entirely local and does not phone home. |
| Do you read cookies? | No. The extension does not read or modify cookies or site storage. |
| Do you intercept network traffic? | No. There is no network interception and no traffic spying. |
| Can a web page add itself to the Allow-list automatically? | No. A page can request, but only the user can confirm or reject the addition (master-tab confirmation flow or popup management). |
| Is any analytics/telemetry sent? | No. The extension sends no analytics and makes no external requests. |