Suppose an extension has a scary list of permissions like that below ("Site access: On all sites"):
Does this also give the extension permission to send my data to the author’s servers via XHR?
I’ve read the documentation here but lack some background knowledge, so I am not sure in my interpretation:
Cross-Origin XMLHttpRequest
After reading this, it seemed like the extension isn’t allowed to send my data somewhere unless it has lines like the below in the manifest – is this correct?
"permissions": [ "https://www.google.com/" ]