Extension bypass

[NDevTK]

Page scripts can not be trusted to not use the native APIs. navigator.geolocation.getCurrentPosition = navigator.geolocation.__proto__.getCurrentPosition

Maybe the API can be blocked for websites by using https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy

Ideally the API and permission checks would be done in the background page so site isolation applys.

I may be missing something so pls do correct me :)

[woshiguabi]

Geolocation.prototype.getCurrentPosition.call(navigator.geolocation, console.log) A simple bypass. Maybe should be overridden on the prototype.

[NDevTK]

I think its not simple but there is a project: https://github.com/LavaMoat/snow For site isolation its probably better to embed an iframe of an extension page and have that request the geolocation permission. (After confirming with the user)