Would it be possible to offer an option to deactivate all features which require a content script, and as a consequence switch off the content script injection? This would allow people who find copying the credentials from the browser toolbar convenient enough to close this attack vector.
Thank you - I encourage you to stay on course. And if this ever makes its way into the product, an option to switch it off would be much appreciated.