Please address privacy concerns

[Giszmo]

In order to get relevant events, the extension has to query those and the query has to contain the URL. URLs are a privacy and sometimes a security issue. Please add in the description how the user's browsing history is handled. This might require a disclaimer or warning that all URLs of all tabs will get leaked to all configured relays or something.

[jinglescode]

i can do up a "how it works".

regarding your concern, there are no reading of user browsing history (dont have permission).

[Giszmo]

Well, the full history gets leaked to the relays if you check with every tab all the time if there is any conversation on nostr.

[jinglescode]

Pulling events wont write data to relays. Only posting will attached the active tab's URL to the event's JSON.

[Giszmo]

The relay still gets the query which tells it the url. It doesn't broadcast it but the relay has to be trusted here.

[jinglescode]

Right. What do you suggest then?

[Giszmo]

As I said in the issue description I would tell the users.

Sadly there is probably no elegant way around the privacy issue. Hashing would fix the security issue though.

So imagine you are browsing a domain that puts a secret into the URL - early browser bitcoin wallets did that. Your current implementation might currently query the relays for the full https://domain/path?query#anchor. The anchor is generally supposed to always remain local but path and query are also a privacy concern. Also the query and anchor might contain random stuff that you would not want in your request anyway. So you would need first a normalization where you get rid of session cookies and other such stuff but then you could hash the /path?query part assuming the anchor part was dropped anyway. This way, even if /path?query does contain a secret, you won't leak it unless somebody actually comments on that page.

[jinglescode]

you're right about the params, I've stripped off the URL in 0.0.11.