No remote executable code
YASE does not download or execute JavaScript or WebAssembly from remote servers. Remote catalogs, if enabled for customization features, are declarative data only and are validated before use.
The MV3 extension runtime is bounded by bundled code shipped through the browser extension package.
Token and account boundaries
- Google Sign-In authenticates your YASE account only. It does not grant YouTube API access.
- Your YouTube cookies, session tokens, and internal YouTube identifiers stay in your browser. They are never sent to the YASE server.
- YASE access tokens are held by the extension's background service worker; content scripts on YouTube pages cannot read them.
External data validation
- Any SVG content YASE handles is sanitized before storage or rendering.
- For customization features, the extension only accepts known font file paths from configured catalog hosts and rejects remote executable code.
- Diagnostic exports and support bundles are anonymized before they can be shared, and they never include credentials.
Report a vulnerability
Send security reports to security@yase.run. Please include the extension version, the browser you used, and steps to reproduce the issue.
