How does Same Origin Policy apply to browser extensions?

Question

Given a browser extension that sends information from one webpage to an entirely different server, is this violating the same origin policy?

Answer 1

The same-origin policy (SOP) appplies to ordinary web pages, not browser extensions, even if they are written in JavaScript. What does "different server" mean when the extension code does not origingate from a server? (The extension script might have some kind of orgin, like chrome-extension://longhashidentificationstr, but not an traditional domain/origin.) To communicate with any Web page (except those that have CORS headers), the extension cannot be bound by the SOP.

Extensions don't exactly "violate" the SOP; instead, the SOP does not apply to them. The SOP is designed to limit damage that can be caused by a compromised or malicious Web page. Viewing a web page should require zero trust in the page, since it is so easy to visit a Web page. However, installing an extension is something users do less frequently and has larger impact on the user, so it's not unreasonable to require some trust in the extension.