Fundamental Security Issue

[danielsmc]

Defining window.tabgod() doesn't just mean you can call it from devtools. It means that any JavaScript running on the page can call it. This, of course, completely destroys the same-origin policy that is central to browser security. If this is somehow the intended behavior, there should be a very prominent warning not to install this except in specialized development environments.

[devidw]

I was only thinking from the development perspective, but not about the consequences this would have with every user having that api under the same name in the global scope - you're absolutely right.

0627531 moves the api from the global function to an options page and dev tools panel ui, instead of using external message passing its creating a port between only the extension and the service worker and not the user world anymore.