PageAgent operates at the HTML/DOM level with the same privileges as any other JavaScript running on the page and nothing more. The security token concern you're describing applies equally to every third-party script, npm package, or browser extension that runs in-page. It's not unique to PageAgent.
The browser extension can be more risky because it's more privileged. I've designed a simple authorization mechanism so that only pages explicitly approved by the user can call the extension.
That said, I'd welcome more eyes on this. If anyone wants to review the security model, the code is fully open source.
The browser extension can be more risky because it's more privileged. I've designed a simple authorization mechanism so that only pages explicitly approved by the user can call the extension.
That said, I'd welcome more eyes on this. If anyone wants to review the security model, the code is fully open source.