Over the last week I've developed and released an extension for Chrome/Firefox that collapses and adds a toggle bar to each Google+ stream post.

I've also just released a bookmark that takes the extension code (from code.google.com) and injects it into the G+ page for those browsers that can't use the extension.

now, my understanding is that this is basically user-control cross-site scripting (XSS).

The thing is, it's exactly what all of the extensions are doing anyway, isn't it?

Is there something I'm missing?