Woah 🤩
I’ve always wondered about extensions, and don’t know very much.
Do they basically have read/write access to everything you do on a webpage by default? Can it be scaled back, or limited by the user, or is it dependent simply on how much info the developers need in order to make it functional?
In short: can one enable an extension, give it their nsec, use it to log into web clients, and still retain moderate privacy in their online activity?
the idea is that damus can protect your nsec from nostr websites, otherwise they could swipe it and send it to their server. It uses nip07 which allows nostr webapps to sign things but not read your key.
I want to also add protections against wiping and corrupting your profile/contact data, which buggy nostr clients can do by accident.
Extensions usually have all or nothing access per domain.
And that’s controlled by the user, no? (Like that old Bitcoin rewards shopping app - Lolli - I remember I’d get a request on each domain I visited asking for pretty comprehensive permissions).
Wouldn’t an extension that can sign your nostr events also be seeing all the content on your nostr web client?
I’ve steered clear of extensions in general in the past, partly because they seem like they are bad for privacy, and partly because I don’t know enough about how they work to feel like I’m in control of what they get or how they use that information.
Might be time to do-my-own-research. But I appreciate both of your insight, especially in the context of nostr and with privacy-conscious users 🙏
Oddbean new post about login | logout 