This Chrome extension follows security best practices:
script-src 'self'- No inline/external scriptsobject-src 'none'- No pluginsbase-uri 'self'- Prevents base tag injection
- Platform names validated against allowlist
- Message types validated before processing
- Settings sanitized with type/range checking
- Message origin verified (extension ID match)
- Tab URLs from strict allowlist only
- Only
leetcode.comandcodeforces.com - HTTPS enforced
| Permission | Purpose |
|---|---|
alarms |
Schedule reminders |
tabs |
Open practice sites |
storage |
Save local settings |
No host_permissions - cannot access page content.
| Control | Status |
|---|---|
| A01 Access Control | N/A - No user accounts |
| A02 Cryptography | N/A - No encryption |
| A03 Injection | ✅ Input validation |
| A04 Insecure Design | ✅ Minimal attack surface |
| A05 Misconfiguration | ✅ CSP configured |
| A06 Vulnerable Components | ✅ No dependencies |
| A07 Auth Failures | N/A - No authentication |
| A08 Data Integrity | N/A - No webhooks |
| A09 Logging | ✅ No sensitive logs |
| A10 SSRF | ✅ URL allowlist |
Do NOT open public issues. Email details privately.