While isolated worlds provide a layer of protection, using content scripts can createvulnerabilities in an extension and the web page. If the content script receives content from aseparate website, such as by calling fetch(), be careful to filter content againstcross-site scripting attacks before injecting it. Only communicate over HTTPS in order toavoid "man-in-the-middle" attacks.