Doesn't the browser know which script it's running?
replyWhy can't it just deny access to the specified path, except to the extension itself?
It does by default, except for the files from the extension that the extension author has explicitly designated as content-accessible. It's explained ("Using web_accessible_resources") at the other end of the link.
reply