yeah I'm not sure if you can make an isolated and secure browser extension outside of safari ?
Discussion
Good question. Maybe through some wasm?
Yes. I think most people misunderstand how this works.
A bit of JS code is injected that takes the nostr.* calls communicates with the extension that is in an isolated context (AFAIK with postMessage). The extension then checks permissions or does popups.
:/ please do some research
yeah its slightly more isolated, but its still floating around in the process space and js env. I would just feel more comfortable with runtime.sendNativeMessage to an app with no network access and shared keychain access with Damus
makes sense, but you probably have bigger problems if there’s a safari ACE vulnerability