Ublock Origin — Navigator

critical

Critical combo: broad host access + webRequest

Extension can intercept and read all network traffic on every website

permissions

high

Risky permission: <all_urls>

Unrestricted access to every website

permissions

high

Risky permission: privacy

Can change privacy-related browser settings

permissions

high

Risky permission: webRequest

Can intercept and observe all network requests

permissions

high

Risky permission: webRequestBlocking

Can block and modify network requests in flight

permissions

high

Content script runs on all URLs: http://*/*

Injected JS: /js/vapi.js, /js/vapi-client.js, /js/contentscript.js

content_scripts

high

Content script runs on all URLs: https://*/*

Injected JS: /js/vapi.js, /js/vapi-client.js, /js/contentscript.js

content_scripts

medium

Risky permission: storage

Read/write access to extension storage

permissions

medium

Risky permission: tabs

Access to URLs and titles of all open tabs

permissions

medium

Risky permission: webNavigation

Receives all navigation events

permissions

medium

Content script targets code hosting: https://github.com/*

Injected JS: /js/scriptlets/subscriber.js

content_scripts

medium

Content script targets code hosting: https://*.github.io/*

Injected JS: /js/scriptlets/subscriber.js

content_scripts

medium

Content script targets code hosting: https://github.com/uBlockOrigin/*

Injected JS: /js/scriptlets/updater.js

content_scripts

medium

Content script targets code hosting: https://ublockorigin.github.io/*

Injected JS: /js/scriptlets/updater.js

content_scripts

low

Content script injects at document_start on 2 pattern(s)

Runs before the page DOM is constructed, which is unusual

content_scripts