I like the Idea of OPFS for sure, context is what matters.

The key detail you might be missing is that NostrPass executes in a Worker, not in the main page context. So in NOstrpass it goes client -> vault -> worker. The worker has it's own context and isn't callable from the extension.

The origin binding you're describing is real, but there's a gap in the threat model around DOM injection.
When an extension has host permissions for your site, it can run content scripts. You're right that content scripts run in an "isolated world" and can't directly access the page's JavaScript context or OPFS.
But content scripts can manipulate the DOM. And that's the problem.

That injected <script> tag doesn't run in the extension's context. It runs in your page's context. The browser executes it as if NostrVault.tld served it. There's no origin check that fails because from the browser's perspective, it is code running on NostrVault.tld.
The origin boundary isn't being crossed—it's being entered.

Your encryption approach with the NFC card is the right mitigation for this. If the OPFS contents are encrypted and the key never touches JavaScript (stays on the card), then the injected script gets ciphertext it can't use. Just be careful about the window when decrypted data exists in memory—that's still accessible to injected code.

What stops a rogue extension from accessing the OPFS using navigator.storage.getDirectory() by injecting a <script>? Wouldn't any ext have access in that manor?

What stops a rogue extension from calling navigator.storage.getDirectory() directly from the page by injecting a script?

They keys are actually double encrypted. They require the password and pin. If you have more security questions, I'd say audit the code with one of your favorite AI models. See where the issues lie. the code is open on Github

Bruh it's so disheartening... I am afraid that the majority is falling for the okie doke... Folks are addicted to fiat.

I just launched it . It's great for web apps. It's pretty simple to add it's just two lines of code for the most part, unless you want to configure it differently.

The website is https://nostrpass.com. There you can play around with the demo.

The github is here. https://github.com/bigmarh/nostrpass

If you have anymore questions, holla at me. Pura vida!

Yep if they implemented it as one of the ways to login . It can work with allo kinds of apps

https://Nostrpass.com is ready. Check it out. Let me know what you think. Finally shipped.

@nprofile1q... @nprofile1q... @nprofile1q... @nprofile1q... @nprofile1q...

I am building nostrpass for this. So you don't need Browser extensions. You can just login one app go to a different webpage and login there andyour account carries.

Who knows, I haven't sold them to anyone....only gave them away...