Privacy & Security
Remote Tab Opener is local-first, transparent, and permission-minimal.
No backend · No cookie access · No network interception · Allow-listed domains only
Firefox ✓ · Chrome (MV3) planned
1) Privacy principles
- Local-only: the extension does not send data to any server.
- Explicit consent: actions run only on domains you add to the Allow-list yourself.
- Least privilege: minimal standard permissions (
tabs,activeTab,storage, host injection limited by your Allow-list). - No eavesdropping: no cookie access, no network interception, no arbitrary code eval.
- Transparency: clear events and errors are posted back to your admin page.
2) Browser permissions (what they mean)
| Permission | Why it’s needed | What we do not do |
|---|---|---|
tabs, activeTab |
Create, update, and focus the targeted tab; read its URL/title to reflect state in your UI. | No tab spying beyond targeted tabs; no screenshots; no background scraping. |
storage |
Store small local preferences (favorites, Allow-list, lab toggles). | No syncing to servers; no profiling. |
| Host access (content scripts) | Run predefined DOM actions inside sites you explicitly allow in the popup. | Does not bypass SOP; no cross-site data scraping. |
Note: Permissions are declared on install and described on AMO. The extension does not add hidden capabilities at runtime.
3) Data handling (plain language)
- No collection, no transmission. All actions run locally in your browser.
- No cookies or site storage access. Content scripts only perform the requested DOM actions on Allow-listed pages.
- Local messages only. Status is relayed to your admin page via
window.postMessageand extension messaging — never to external servers.
4) Allow-list model
You stay in control: the extension acts only on domains you approve.
- Add or remove domains from the extension popup (browser toolbar).
- Wildcards are supported (e.g.,
*.google.*) — keep them specific and intentional. - When an action fails with
DOMAIN_NOT_ALLOWED, add that host, then retry.
The web page itself cannot programmatically add hosts to your Allow-list. Browser consent must come from you via the popup. Some common demo seeds may be offered locally; you can edit or remove them anytime.
5) Local storage (what lives where)
| Item | Scope | Lifetime | Notes |
|---|---|---|---|
| Allow-list | Extension storage | Until you change it | Editable from popup; never uploaded. |
| Favorites | Extension storage | Until cleared | Optional quick-access URLs. |
| Lab settings | Extension/page storage | Until cleared | UI flags, last URL/title mirrors. |
| Demo logs | Page memory | Until refresh | Visible in the on-page console only. |
6) Security boundaries
- SOP respected: actions run inside the target tab’s context; frames injected only when host permissions allow it.
- No arbitrary code execution: only documented tab + DOM commands are exposed (deny-by-default).
- Normalized APIs: background/tab control (
open/openTab,navigate,focus,getUrl/getTitle,listTabs,adoptTab,releaseTab) and content-side DOM actions (waitFor,setValue,click,submit,getHtmlwith bounded output).
Sanitized extraction: HTML reads are bounded and sensitive inputs are redacted or blocked (e.g., password/hidden/payment identifiers). Where applicable, outerHTML serialization avoids leaking live input values.
7) Your controls
- Pause/stop anytime: close the controlled tab or stop your flow.
- Edit Allow-list: remove a host in the popup to block future actions on it.
- Clear data: remove the extension or clear its storage from browser settings.
8) For developers (ship privacy-friendly flows)
- Gate flows with a
detectcheck; hide remote actions until ready. - Show a clear banner on
DOMAIN_NOT_ALLOWEDwith the exact host to add, plus a “Try again” button. - Keep logs technical and minimal; don’t print user secrets.
Tip: Add a quick self-check:
detect → openTab → getUrl locally, fail fast if mis-configured.
Need help writing safe flows?9) Privacy FAQ
| Question | Answer |
|---|---|
| Do you send data to a server? | No. The extension is entirely local and does not phone home. |
| Do you read cookies? | No. The extension does not read or modify cookies or site storage. |
| Do you intercept network traffic? | No. There is no network interception and no webRequest permission in the public builds. |
| Can a web page add itself to the Allow-list automatically? | No. Only the user can add or remove hosts via the extension popup. Programmatic self-addition by a page is not allowed. |
| Is any analytics/telemetry sent? | No. The extension sends no analytics and makes no external requests. |