Exactly… wtf. How are people ok with this but not nsec????
Discussion
I really want to know the rationale here.
nos2x is pretty straight forward. Code is available on github. It’s definitely safer than giving out your keys to random clients…
Indeed weird permissions. Perhaps #[5] would like to comment on reading browser history and read/change permissions? As for nsec. We shouldn't "normalize" pasting private keys into websites. Imo anyway.
If you want the extension to provide functionality to a website it has to have access to that website.
thus the extension and any such app should be open source and verifiable. This is how browser extensions work.
it is a bit like any software that you install and run on your computer.
can you tell us more about reading browser history and how its stored etc
it is not stored at all, it is not even accessed (see the code)
but just because these extensions provide functionality (NIP07) to the websites you visit the extension "knows" which that you visited these websites.
What matters is that these extensions are client side applications and don't share data - (not like many browsers that save the browsing history to a google profile for example)
you can also limit this further and enable extensions only on specific websites (though the extension software still needs to "know" that you visit these websites :) otherwise they can not provide the functionality.
thats great!
IF you run the website yourself on your client then it's fine.
but ultimately the attack vector is much bigger having the keys compromised than having the keys in a local signing app on your computer that only signs.
you can limit which websites nos2x has access to on the extension settings