It is not possible because there are many many many ways a plugin could connect to the internet:
- By using the NodeJS
http
/https
module - By using XMLHttpRequest browser API
- By using the browser’s “fetch” API
- By inserting an
<image>
,<audio>
,<video>
, and many other HTML elements containing asrc
property which will make the engine fetch a URL as if it’s some kind of resource - By inserting an
<iframe>
, opening a new BrowserWindow, etc, which can open any page on the internet - By adding a CSS property for
background-image
,font-family
, etc which will fetch those resources at any URL. - By executing another executable on your computer using the
child_process
NodeJS module, such aswget
. - By storing a script in an auto-run location such as
.bash_rc
, using thefs
NodeJS module. - And many many more. Possibly hundreds of other methods that we are not even aware of.
This is a huge attack surface, while we can plug those holes one-by-one and cripple the ability of plugins to do useful work, you can’t take into account the unknown ways a malicious player will be able to exploit.