I just realized that even if you are only allowed to make a `GET` request to only one url
`var xhr = (new XMLHttpRequest()).open("GET", "
http://myserver.com/file.json");`
then you can send anyway a small amount of data to
myserver.com :
Make a request an odd day if you want to communicate a 1 and an even day if you want to communicate a 0 So in any case, it is insecure to install an extension if you didn't look a its source code and if it has at least one url in `"permissions"'
I think this answers to my original question.