How Browser Extensions Can Introduce XSS
Browser extensions are one of the weirdest XSS threat sources because the vulnerable code often isn’t yours. Your app can have solid output encoding, a decent CSP, and disciplined frontend code, then a user installs an extension that injects scripts, mutates the DOM, rewrites requests, or shoves untrusted HTML into your page. Suddenly your clean security model gets dragged into someone else’s mess. For developers, the hard part is that extension-driven XSS sits in an uncomfortable middle ground: ...