This repository contains the source code deployed in the Recap browser extension.
The extension acts as a simple proxy to connect to exchange APIs which would otherwise be blocked in browser because of CORS. This means that Recap doesn't operate proxy servers where we could intercept your traffic and snoop on your data. More about Recap's security model.
You can always check the content of the live extension using the Chrome extension source viewer or its online demo.
The only URL that can communicate with the extension is https://app.recap.io/* as defined in the externally_connectable property of manifest.json. This means no other apps or sites can use the extension to bypass browser security. More about externally_connectable.
The extension can only fetch data from URLs defined in the permissions property of manifest.json. This limits which URLs the extension can connect to, which means that Recap can't query any other sites other than those defined. This whitelist is also checked in the fetch method of background.js. More about permissions.