security policy

Also, this a plugin to a _web browser_. So, suppose we "forbid" the plugin from sending data to a web site. Instead, it finds an IMG in a web page and rewrites it to be an indirect, sending the data to a web site and returning the original image. Of course there are a million variations on this theme, many of which look (to a machine anyway) indistinguishable from legitimate actions.

The big problem with security policies is finding something that users can understand correctly. This is a big research topic. It is often possible to create something which _technically_ works but which almost no-one will operate correctly, for an end user application like Firefox this is plainly useless (whether it is useless in more specialised applications is up for debate).