CacheCat implements the following security measures:
-
No Dangerous Code Execution
- No
eval(),innerHTML, orFunction()constructor - Safe JSON parsing with error handling
- No
-
Message Security
- Origin validation for all messages
- Message type whitelist enforcement
- Message structure validation
-
Input Validation
- Key/value size limits (10KB keys, 10MB values)
- Type checking for all inputs
- Prevents DoS attacks
-
Content Security Policy
- Restricts script sources to extension only
- Prevents XSS attacks
-
Sender Validation
- Cookie operations validate sender is from dashboard
- Prevents unauthorized access
- ✅ 100% Local Operation - All data stays on your device
- ✅ No Data Collection - We don't collect any information
- ✅ No Data Transmission - Nothing is sent to external servers
- ✅ No Analytics - No tracking or analytics
- ✅ No Third-Party Services - No external API calls
All permissions are necessary for the extension to function:
<all_urls>: Required to access storage on websites (only used when you click extension icon)cookies: Required for cookie managementscripting: Required to inject scripts for storage accessactiveTab: Required to attach to websitesalarms: Required to keep service worker active (ensures attachments persist, no data access)
- ✅ Manifest V3 compliance
- ✅ Strict mode in all scripts
- ✅ Error handling for all operations
- ✅ Request timeouts (30 seconds)
- ✅ No external dependencies
If you discover a security vulnerability, please do not open a public issue. Instead:
- Email the maintainer or create a private security advisory on GitHub
- Provide details about the vulnerability:
- Description of the issue
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We take security seriously and will respond promptly to all security reports.
GitHub Security Advisory: https://github.com/chinmay29hub/CacheCat/security/advisories/new
Status: Excellent ✅
The extension follows security best practices and is published on the Chrome Web Store.