Same thing for browser extensions: a simple browser extension (e.g. web dark mode), can read all your password fields. It's crazy that there are no proper permission scopes in any major browsers ! It would have been so easy to make password / email fields exempt from browser extensions unless they ask for the permission.
Pro tip: I’ve seen plenty of dedicated extensions that could have just been simple snippet equivalents in Tampermonkey - an extension that lets you run JS limited to wildcarded websites.
I've used it to inject download links on sites, autoclose modals, etc. You can either write them yourself, or review other people before installing them.
It’s not a perfect solution, but at least it reduces the surface area to a single extension.
I do not think it'd be "so easy" to separate password input access into a separate permission because it'd only open up a can of worms. There's so many ways to read a password input's value, from listening to key events to monkey patching `fetch`, that it's not worth playing whack-a-mole just to provide users a false sense of security
I'm also skeptical that even a dark mode extension would be simple considering how varied web pages can be
It's not that complicated. Protect input.value. But good point on networking, but also an easy fix: extensions that do not have a special network permission, should not be able to hook/look into your requests.
In your example wouldn't that leave the email and password fields the wrong color? I agree with the principle though. Most extensions don't need to access everything.
