Doesn't the browser know which script it's running?
Why can't it just deny access to the specified path, except to the extension itself?
Doesn't the browser know which script it's running?
Why can't it just deny access to the specified path, except to the extension itself?
It does by default, except for the files from the extension that the extension author has explicitly designated as content-accessible. It's explained ("Using web_accessible_resources") at the other end of the link.