A rather simple Chrome permission bypass. Basically chrome.pageCapture.saveAsMHTML() shouldn’t be able to save pages it doesn’t have the permissions to read like pages belonging to another extension or chrome pages. This check was vulnerable to a race condition and by repeatedly navigating from an allowed page to a disallowed page and back eventually it would end up capturing the disallowed page.