First, Do No Harm: Studying the manipulation of security headers in browser extensions