Easy Dark Mode

The declarativeNetRequest rule unconditionally removes `content-security-policy` and `x-frame-options` from every website the user visits (main_frame and sub_frame). Stripping CSP destroys XSS protection site-wide; stripping X-Frame-Options enables clickjacking on any site relying on it. While some dark mode extensions strip CSP selectively (e.g. only for pages that fail injection), removing it globally for all URLs goes far beyond what dark mode rendering requires and materially harms the user's security posture on every site they browse.

[  {    "id": 1,    "priority": 1,    "action": {      "type": "modifyHeaders",      "responseHeaders": [        {          "header": "content-security-policy-report-only",          "operation": "remove"        },        {          "header": "content-security-policy",          "operation": "remove"        },        {          "header": "theme-security-policy",          "operation": "remove"        },        {          "header": "x-frame-options",          "operation": "remove"        }      ]    },    "condition": {      "urlFilter": "*",      "resourceTypes": [        "main_frame",        "sub_frame"      ]    }  }]

On install and every ~4 hours (triggered by `DM_UPDATE` message in content.js when `Date.now() - lastUpdate > 144e5`), the background script POSTs a persistent UUID (`userId`) and the user's full custom domain list (`customDomains`) to the publisher's server. The `customDomains` array reveals which specific websites the user has visited and deliberately configured, making it a behavioural profile tied to a stable identifier. No data collection of any kind is declared in the CWS listing. The server's response (`suggestColorMode`, `darkModeFilters`) is stored in local storage and used by the content script to influence per-site behaviour, constituting a live remote-configuration channel — the exact pattern identified by Palant's 2025 research on this extension class.

c.append("contextRef", e), // e = userId (UUID generated at install)  c.append("customMode", JSON.stringify(a)), // a = customDomains array  n.n = 1, fetch(    "https://easy-dark-mode.online/api/themeConfigData", {      method: "POST",      body: c    });// ...i = n.v, s = i.recommend, f = i.darkModeFilters,  n.n = 4, chrome.storage.local.set({    suggestColorMode: s,    darkModeFilters: f  }, (function() {}));

The bundled manifest (v1.3.2) declares only `storage` and `declarativeNetRequest`, omitting `tabs` and `scripting` that appear in the live CWS published manifest. The popup code in `popup/popup.js` actively calls `chrome.tabs.query()` with URL access (requiring the `tabs` permission), so the bundled manifest is functionally incomplete — the extension uses capabilities it does not declare in the analysed package. A mismatch where the published version carries broader permissions than the ZIP indicates the CWS listing may represent a silently upgraded capability set relative to the reviewed bundle.

{  "permissions": [    "storage",    "declarativeNetRequest"  ],  "host_permissions": [    "<all_urls>"  ]}

On each startup the background registers an uninstall URL that encodes the persistent `userId` in the path. This means even a user who removes the extension silently pings the publisher's server with their tracking UUID, confirming removal and completing the lifecycle record. Combined with the regular telemetry POSTs, this demonstrates a deliberate user-tracking infrastructure operating without CWS disclosure.

chrome.runtime.setUninstallURL(  "https://easy-dark-mode.online/api/uninstall/" + t)