The GitHub PAT is stored in chrome.storage.local — the standard approach used by Octotree, Refined GitHub, and other major GitHub extensions.
chrome.storage.local(notsync) — token stays on-device, never synced to Google servers- Sandboxed per-extension — other extensions and websites cannot access it
- No encryption — consistent with industry practice; if an attacker has access to extension storage, they already have full browser access
- Extension only requests
storagepermission - No
tabs,history,cookies, or broad host permissions - Network restricted to
https://api.github.com/*viahost_permissions - Token should be a classic PAT with
reposcope — the setup screen links directly to the creation URL with the scope pre-filled
Declared explicitly in manifest.json under content_security_policy.extension_pages:
script-src 'self'; object-src 'none'
- No inline scripts
- No external JavaScript
- Network restricted to
https://api.github.com/*viahost_permissions
- All API string values escaped via
escapeHtml()/escapeAttr()before innerHTML insertion - Numeric values coerced to integers before rendering
- Error messages sanitized — no raw API responses shown to the user