In the FAQ they mention "End-To-End doesn’t trust any website's DOM or context with unencrypted data. We have tried to ensure that the interaction between the extension and websites is minimal and does not reveal secrets to the website."
I'm curious about this too. Does that mean they somehow insert a textbox that the host page can't see? I didn't realize extensions could do that.
Edit: ah, this appears to be where it happens. They insert an iframe the extension owns, so the host page won't be able to see what's in it:
It would be nice if that got added to PwdHash[1] extension[2]. PwdHash chrome extension currently seems to just try to capture all keyboard events while the master password is entered in a site's password box. Also, it seems to me that it runs in the site's context.
But when displaying the cleartext of a previously sent email or received email... they must be able to decipher the encrypted text in order to display it to the viewer, no?
I'm curious about this too. Does that mean they somehow insert a textbox that the host page can't see? I didn't realize extensions could do that.
Edit: ah, this appears to be where it happens. They insert an iframe the extension owns, so the host page won't be able to see what's in it:
https://code.google.com/p/end-to-end/source/browse/javascrip...