It is not possible because there are many many many ways a plugin could connect to the internet:
- By using the NodeJS
http/httpsmodule - By using XMLHttpRequest browser API
- By using the browser’s “fetch” API
- By inserting an
<image>,<audio>,<video>, and many other HTML elements containing asrcproperty which will make the engine fetch a URL as if it’s some kind of resource - By inserting an
<iframe>, opening a new BrowserWindow, etc, which can open any page on the internet - By adding a CSS property for
background-image,font-family, etc which will fetch those resources at any URL. - By executing another executable on your computer using the
child_processNodeJS module, such aswget. - By storing a script in an auto-run location such as
.bash_rc, using thefsNodeJS module. - And many many more. Possibly hundreds of other methods that we are not even aware of.
This is a huge attack surface, while we can plug those holes one-by-one and cripple the ability of plugins to do useful work, you can’t take into account the unknown ways a malicious player will be able to exploit.