That is a good question, It is bound to the origin binding: OPFS storage is origin-private. Even if an extension injects code, the storage it accesses is scoped to that origin. It cannot cross into another site’s OPFS. So if you’re on NostrVault.tld, injected code can only touch NostrVault.tld OPFS, not NostrClient.com’s or a rogue extension.
The rogue extension would have to have host permission to access the Origin Private File System (OPFS) and eventually our goal goal is to encrypt the data at rest with OPFS with an OpenPGP cert from the NFC card so a rogue extension wouldn’t know how to interpret it or what to do with it, if it got access to it.
mfoster.io / mfostr
npub1ma…6p9v4
2025-12-17 23:29:41 UTC
in reply to nevent1q…h0xm
Author Public Key
npub1maee5ny3mc52km3sl405e2d08aupvml9fqe2dwq60qktlsyfpshse6p9v4Published at
2025-12-17 23:29:41 UTCEvent JSON
{
"id": "0659edd3e2a827633b6c1214a78e2fc5c04bf55d62befbb39a3c190ab77b38e6",
"pubkey": "df739a4c91de28ab6e30fd5f4ca9af3f78166fe54832a6b81a782cbfc0890c2f",
"created_at": 1766014181,
"kind": 1,
"tags": [
[
"e",
"6b4bdc7b079ff11888d4adfac907f9ec70a63dfc5625ce8beda25a4792f66045",
"wss://relay.primal.net",
"root"
],
[
"e",
"2736a3b35aeae8b7b3ec222b5b4afae0229e62b763cabade63bcd60c246813a7",
"wss://relay.primal.net",
"reply"
],
[
"p",
"b7b1382ea9bd7b2420eed4db8d8333aa664c7bb7bee2208554a31a6074635e6c",
"",
"mention"
]
],
"content": "That is a good question, It is bound to the origin binding: OPFS storage is origin-private. Even if an extension injects code, the storage it accesses is scoped to that origin. It cannot cross into another site’s OPFS. So if you’re on NostrVault.tld, injected code can only touch NostrVault.tld OPFS, not NostrClient.com’s or a rogue extension.\n\nThe rogue extension would have to have host permission to access the Origin Private File System (OPFS) and eventually our goal goal is to encrypt the data at rest with OPFS with an OpenPGP cert from the NFC card so a rogue extension wouldn’t know how to interpret it or what to do with it, if it got access to it.",
"sig": "efcdfd213bbc8f906b9444c7a4ee6649075a74022d100f763600f0d4654e02e4cfa5297750e196b5d1af3263219c2f3c28cbb678c31cb7e050b7ed40dbd5cdab"
}