We use storage.local to store user's data like their accounts, options and trustedWebsites. We encrypt everything in storage in case of security.
We do not share users sensitive data with anyone.
Accounts(Array):Users can create or import accounts using our extension's features. Each accounts has some properties (like balance, address, name, assets) that we have to keep. We also encrypt this part using aes-256 algorithm.
Options(Object):Users can go to setting page and chose what setting they want. For example they can choose between different explorers. Transactions are shown in the chosen explorer.
trustedWebsites(Array):Websites can interact with the extension. But our users have to confirm this interaction so that websites can access account's addresses. We save users trusted websites in this area so that after confirming once, the user doesn't have to confirm that website agian.
We do not use localStorage, sessionStorage and cookies. We need storage in background.
We use content_scripts to add some code to users tabs so that developers who want to interact with the extension can be able to do that and get some data in return (like accounts addresses ).
For example: Developers can write a code that invokes "window.rabet.connect()".
The extension looks at user's options and find privacyMode, if privacyMode is off, it will return the user's active account's address right away. But if privacyMode is enabled, a popup appears and the users can confirm this process or reject it.
We have written a complete documentation for our interaction part in:
https://docs.rabet.io.
Feel free to look at it.
Devs can also send a request to the user that asks them to sign an XDR for them. Let's say I'm the developer and I've created a shopping web and want the user to pay for what he chooses in my websites using XLM. I create a transaction and convert that to XDR. and then call `window.rabet.sign(xdr)`. A popup appears and the user can confirm or reject that.
I do not sell or transfer user data to third parties.
Only the field "address" is sent to our server to server asset images. Which is a public field in user's accounts and can be seen in an explorer.
https://rabet.io