A browser extension cannot access your email or password manager. But it can use this new security hole created by tailscale.

If the extension in question has the read/modify all websites permission, why would it not be able to access your email or password manager?

Not OP, but...my email and password managers are not websites. I have a local app that does email, I have a local app that does password management. So the extension could certainly access passwords I put into my browser, but I don't see a vector to the "keys to the kingdom" so to speak.

The most popular password managers (1Password, Bitwarden, Lastpass) have a web UI.

Sure, and I use Bitwarden. I just don't use the web UI, specifically to avoid issues like malicious extensions, Firefox exploits, etc.

I'm aware that web-based email and credential managers exist, but GP asked "...why would it not be able to access your email or password manager?" I answered that, with my app choice, I don't see how they could.

Who's using extensions in a work context anyway? I only use an ad-blocker because it's safer from a malware perspective.

> Who's using extensions in a work context anyway?

literally everyone?

React Developer Tools, for example.

Ah, thanks. I'm more on sysadmin side for my day job, and didn't even know about this. I'll have to keep it in mind as I've been dabbling with learning a modern web framework and React was a candidate.