Security of native messaging?

Question

I have a NPAPI plugin for sign-in data on website.

I want to replace it by Native Messaging technology. I have read the documentation, but I have a question : Is this

Answer 1

It is, in principle, possible to inspect stdio calls made by an executable.

For instance, on Linux systems, you can use strace for that purpose. I don't know a similar Windows tool, but it's conceivable that it exists.

That would be akin to attaching a debugger to the browser/native host itself, and can only be done by someone who has access to the local machine with the same user credentials or administrative access. In particular, the user running Chrome can do it - just like he/she can use Dev Tools to inspect and intercept the data at the JavaScript side.

So, yes, in principle that can be intercepted, but only by someone will full rights to execute/debug code on the system it's running on, and OS takes care not to allow normal users to inspect processes of other users in this way.