This update introduces major security hardening, privacy enhancements, and stability improvements across the entire extension, directly addressing community feedback and security audits.
🔒 Security & Privacy Enhancements:
Strict Least-Privilege Architecture: Removed the overarching <all_urls> permission from the default manifest. The extension now only requests explicit permissions for required domains (e.g., Telegram, OSINT platforms) and uses optional_permissions for dynamic access.
Interactive Privacy Consent: Introduced a transparent user-consent UI for cross-origin tasks (like the URL Unshortener and Reverse Image Search). Data is only processed locally after explicit user approval.
Targeted ID Scanning: Rebuilt the Google ID Scanner network engine. It now strictly scopes interception to Google domains only, replacing broad global network hooks with precise, context-aware API monitoring.
Zero UI Interference: Removed intrusive DOM overrides (monkeypatching). The extension no longer suppresses native browser warnings (like Gmail's beforeunload), protecting users from accidental data loss.
🛡️ Resilience & Dynamic Config Safety:
Strict Remote Payload Validation: Dynamically fetched tools (tools.json) now pass through a rigorous schema validator before entering local storage.
Protocol Enforcement: The UI and Visual Explorer now strictly enforce https:// protocol resolution for all external OSINT tools, neutralizing XSS and javascript: payload execution risks.
Cache Robustness: Hardened the Visual Explorer and internal search engines to seamlessly handle corrupted or manipulated local cache states without crashing.
Cross-Browser Compatibility: Restored and locked in sidebar_action support, ensuring the AI Side Panel operates flawlessly in Firefox.