Being able to call getRandomValues from HTTP endpoints doesn't specifically break a password extension unless it was somehow serving over HTTP and had its Javascript modified.
It doesn't mandate entropy requirements, probably because that's a somewhat contentious measure that not all OSes provide information about (see also: the long and tedious arguments about merging /dev/random and /dev/urandom). As long as the browsers use the underlying OS primitives, it will be fine.
Browsers do a thousand things essential for security that are far harder than providing cryptographically random numbers, and I highly doubt they'll screw it up.
It doesn't mandate entropy requirements, probably because that's a somewhat contentious measure that not all OSes provide information about (see also: the long and tedious arguments about merging /dev/random and /dev/urandom). As long as the browsers use the underlying OS primitives, it will be fine.
Browsers do a thousand things essential for security that are far harder than providing cryptographically random numbers, and I highly doubt they'll screw it up.