Post author here! I wrote this post five years ago. Since then, my conviction in the value of customizable software has only grown, but I've also updated my thinking in a few ways:
1) AI
AI is rapidly getting better at coding. Current AI is often bad at high-level architecture but is capable of making small local tweaks. Seems like a good fit for the kind of code you need to write a browser extension!
I'm exploring this direction; wrote more about it in "Malleable software in the age of LLMs" [1]
2) Security
Having talked to people who worked on various extension platforms including the browser extensions API, I see more clearly than I did five years ago that security is often the key bottleneck to deploying extension platforms meant for mass adoption. Anytime you want everyday computer users to be installing invasive extensions to important software from untrusted third parties, it's gonna be challenging to protect them.
That said, I still think that conversations around extensions tend to focus too much on security at the expense of all else. Customizability is important enough that it may be worth prioritizing it over security in some cases.
I also think there are many reasonable paths forward here. One is to exchange extensions with trusted parties -- e.g, coworkers or friends -- rather than installing from random people on the internet. Another might be to only build your own extensions; perhaps that'll become more viable with AI-assisted programming, although that introduces its own new security issues. And finally, I've met a few people who have smart ideas for architecting software in a way that helps resolve the core tensions; see [2] for an example.
3) Backend access as a key limitation
I've increasingly realized that the fact that browser extensions can only access client code in a fairly server-centric web means that many deep customizations are out of reach. Perhaps you can't read the data you want, or there's not a write API to do the thing you need.
While I'm optimistic about what extensions can do within the boundary of the client, this is an inherent limitation of the platform.
At Ink & Switch (the research lab I now work for), we're working towards local-first [3] software: collaborative software where the data and the code lives on your device. Among other benefits like privacy, we think this is the right foundation for more powerful extensions, since your data and the app code aren't locked away on a server.
The security problem of open platforms is the key.
Anything that is open enough to let someone who knows what they're doing customize the system to their liking, will also be abused by bad actors persuading people who don't know what they are doing to customize the system in ways that harm them.
The fact I can write my own custom keyboards on Android is great! But the fact someone can convince your grandparents to install a keyboard that includes an embedded key logger is not!
Browser extensions have always been a malware-rich ecosystem. Joking about removing all the toolbars from your parents' Internet Explorer whenever you went home for thanksgiving dates back to about 1999.
Executing untrusted code would be a lot safer if browsers and mobile OSes would make it easy to provide fake resources to the app/extension.
Yes, you may read my phone contents, and as far as you know, it's the contents, the whole contents and nothing but the contents - it just happens to be a folder to me. An empty folder. It's a new phone you see.
Yes here's my contact list. Sorry it's mostly empty, there's just the costly premium number in there. I hope your mothership doesn't try to call it.
Yes, here's my microphone. Oh thank you, yes, I do a good impression of Rick Astley.
Pictures on my phone? Oh yes, right this way. It's all pictures of turnips. Do you like them?
I'm so excited about the malleable software / local-first / local-AI crossover, I feel like we are at the dawn of a new era of software. If we play our cards right, we can bring back control of our data from the large corporations, have ownership, and more control of how we work.
I'm particularly interested in how general purpose CRDT toolkits like Automerge and Yjs could become the backing filetype for local-first software with interoperable sync/collaboration backends. The user can then have direct access to the underlaying data via standard tooling. Files can be linked, embedded within each other, forked and merged.
We could have a new hypermedia platform built on this, where all documents are possible to be shared, forked, edited in realtime...
Basically, love what you are all doing at Ink and Switch, excited to see what you publish next.
Major limitation of browser extensions is that if you want to just write them for yourself, there's no user friendly, scalable way to install them. There's no way to tell the browser that you trust all extensions in some directory to be loaded automatically and be used without signing and without maybe even having to be packed into XPI file. There's no "put a bunch of code+manifest into a directory and have browser use that" feature. This kind of simple deployment drove me to write a ton of userscripts when greasemonky just loaded plain files from gm_scripts/ subdir of browser profile directory. It was fun and easy to extend websites back then. Mozilla killed all that.
Deployment is just terrible. There's no way I'm sending my extensions somewhere over the internet to get signed after every change so I can use code I wrote on my own computer. WTF distopia is that? Nevermind the last time I checked the tooling for signing is some stupid ass 100MiB+ NPM/node app I have to now trust too. It's bigger than a freaking Linux kernel build itself.
Just the framing of "browser extensions" is extremely problematic in the year 2024.
Most browser extensions by weight are Google Chrome extensions. Google Chrome is unambiguously demonstrating that no API is safe in its quest to juice revenues. Anybody who builds extensions using Chrome's APIs should be very aware that they're quite possibly putting effort into something a juggernaut will stomp away without a second thought.
I don't care to live in strategically lost situations like this, so I think the conversation should be about Firefox extensions. Which also don't have a great track record (the transition to Google Chrome compatibility a few short years ago still annoys me greatly), but are a qualitatively better counter-party to deal with.
1. They increase the attack surface of the browser
2. They have routinely been transferred to (for money) or taken over by malicious entities
3. Often they subtly break things in ways that are fine for expert users but which result in support reach out by others
Most browser extensions seem to be used on Firefox, because Google is so hostile to ones on Chrome. With the decline of Firefox, the extension world has shrunk. I had something called "Ad Limiter" on both Firefox and Chrome for a decade. Identical code, even. Google sent me threatening messages last year, as they tightened the screws on ad blockers, and I dropped it for Chrome.
> Most browser extensions by weight are Google Chrome extensions. Google Chrome is unambiguously demonstrating that no API is safe in its quest to juice revenues. Anybody who builds extensions using Chrome's APIs should be very aware that they're quite possibly putting effort into something a juggernaut will stomp away without a second thought.
How unlike developing for literally any other environment.
Has Firefox fixed its syncing feature? You used to have to literally move a profile file around. I remember working in IT a long time ago and Firefox was an absolute nightmare to deal with corporately. But then, back then, we couldn't control Chrome extension installations..
There is a standard for browser extensions. I build also browser extensions before the standard.
So you can build now a browser extension that works in Chrome, Firefox, Edge and Safari.
But indeed, you can also use some specific api's for only a single browser.
That is really bad, like you build a site only for a single browser.
But the base should be compatible.
And because you always can see the extension source code, you can modify a version for your own that works well in your browser. (And you can share it again off course)
"I don't care to live in strategically lost situatios like this, so I think the conversation should be about Firefox extensions."
Why would the conversation not be about editing the Firefox source code to add or remove "features" to meet one's personal needs.
What is the point of "open source" if, to use the term from the submission title, the software is effectively un-"hackable".
There is no small amount of "attack surface", and many unneeded "features", that could be removed from Firefox to someone's benefit, maybe it's only one user,^0 but but that will effectively never happen. Why. It is open source so anyone should be able to audit the code and change it to their liking.
0. To be clear, I am not commenting about "most users" or the majority of users or whatever. I am referring to the small class of users who are explicitly dissatisfied.
In 1995, there were numerous non-commercial browsers. Netscape, the source of Mozilla, was one of the few attempting to commercialise.
There is nothing wrong with having "all-in-one" programs. As long as other "not-all-in-one" programs also exist as alternatives.
Arguably, the aim of the "all-in-one" program may be to obviate the existence of other programs, namely smaller, simpler ones.
Those pushing gigantic web browsers might assume and argue, e.g., that it is inconvenient to have different programs for different tasks. This could be true. For some users. However it is also true that small programs can be made to work with each other. UNIX is the example. Over thirty years of continual growth. The companies behind the giant browsers probably could not survive without it. There is choice.
Large "all-in-one" programs and small ones like UNIX utilities can co-exist. The two are not mutually exclusive.
Personally, I prefer not to use a giant browser to make HTTP requests on the open internet. It is overkill and there is a profound lack of user control. (Hence "solutions" like "sandboxing", and an ever-incresing number of Band-Aids that serve only to add more needless complexity. The companies releasing these giant "all-in-one" programs are funded by advertising. Enough said.) For me the "modern" browser is more useful as an image viewer and media player.
It is possible to "browse" the web without advertising, tracking or other annoyances, I do it every day,^1 but not with one of these giant advertising-supported "all-in-one" programs like the "modern" web browser. It is a losing battle to try. No amount of "extensions" can change the balance of power over those giant programs.
Despite that these "browsers" are "open source", dissatisfied users who know how to program are not editing the source code to remove the bad bits. Instead they helplessly complain in forums like HN.
1. I am not a typical user. (Though I might be in 1995.) I prefer text over graphics. I like to read without distraction. Because text is easy for the user to manipulate, it seems to have a defense against advertising that is not available with graphics. For example, if text ads were inserted into response bodies, I can easily filter them out.
Many popular browser extensions were bought up by data brokers that use them to exfiltrate browser history, so not sure if they’re underrated, I think you have to be pretty careful as the extension security/privacy model is/was pretty awful. I e.g. know screenshotting extensions (Awesome Screenshot) that would vacuum up your browser history and send it to a data broker in Israel. So probably better to have that as a native browser feature.
> Many popular browser extensions were bought up by data brokers that use them to exfiltrate browser history, so not sure if they’re underrated
I would say, as the developer of an upfront paid web browser extension, that upfront paid web browser extensions are underrated. ;-)
It's a truism that if you're not the customer, you're the product. But what if you are the customer? I think a lot of the mistrust of browser extensions is due to the difficulty in monetizing extensions directly. If you're making nothing from an extension, and someone offers you a nice check to acquire the extension, it can be difficult to turn down that money, especially if the extension is a support burdern for the developer. Of course I have my price too, as almost everyone does, but at this point the price would have to be 7 figures (maybe 8??), which I don't think anyone would ever pay for my extension. My user base is relatively small, and thus doesn't provide a huge opportunity for data collection or other nefarious schemes, precisely because the extension is paid rather than free.
Yes. Because of this and the lack of fine-grained permissions mentioned by a sibling comment, I tend to use desktop apps where I can instead of extensions, keeping my extensions list quite slim — basically all I install are FOSS extensions by “big” known-good authors (e.g. Raymond Hill) or projects that aren’t going to sell out.
Of course risks exist with desktop apps too, but historically this kind of buy-and-exfiltrate scheme is comparatively rare with desktop apps, particularly on macOS where signed apps are sandboxed and can’t do a whole lot without user permissions.
>probably better to have that as a native browser feature
/Agree. It is crazy that I have to trust some unknown coder with all my browser data just to enable vertical tabs in Firefox.
Of course many of these extensions are open source and thus auditable. As I lack the skill to detect nefarious code, I am wondering if this might be a good use case for AI. Anyone have thoughts on building a good malware finding prompts?
I wish browser extensions had more fine-grained permissions but it's a tricky problem verifying if software is using permissions maliciously (see the Obfuscated C Code Contest and the Underhand C Contest) and how to communicate nuanced permissions to users (most users don't read and/or understand tech stuff, and can be easily mislead).
A tip in Chrome that I never see mentioned if you want to be extra safe when trying extensions:
- Go to Profiles > Add profile > Continue without account
- Install any extensions you feel like in this profile and they're completely isolated from the tabs logins, history, cookies and so on in your regular profile. Similarly, you can run Chrome Beta or Chrome Canary for installing extensions into, alongside regular Chrome.
E.g. you can install 10s of potentially risky web development extensions into this profile (they usually need a lot of access to do what they need to do), and keep them sandboxed away from the profile where you do your personal banking or login to work websites.
It's not practical for every extension, but I do this for my web development stuff and only use a couple of extensions for personal stuff.
I sell a browser extension where the permission I really want to ask for is "can only observe the network traffic it sends/receives in its own tabs" but I'm lumped with having to ask for the "read and write all your data" permission, but I make sure to share the above tip in the description (shameless plug: https://chromewebstore.google.com/detail/checkbot-seo-web-sp...).
Firefox user here, I wish Multi-Account Containers had a way to disable extensions per container. I don't need any on my banking site. Sure I could use separate Profile but UX hurts here.
The "read and change all your data" permission is a huge hurdle for our shopping extension, especially since we only need to identify shopping pages. What I've tried to build trust is to open source our tracking analytics (e.g. https://github.com/Score-Extension/score-extension-analytics...).
Hopefully transparency is one way to overcome this trust barrier.
> I sell a browser extension where the permission I really want to ask for is "can only observe the network traffic it sends/receives in its own tabs" but I'm lumped with having to ask for the "read and write all your data" permission
Yeah it would be nice there were a way to limit the entire scope of an addon's permissions to a whitelist of domains. Chromium has a way of whitelisting domains an addon can run on[1] but I've assumed it doesn't affects the broader permissions you mention (general history, etc).
[1] Click 'Details' of the addon and switch the 'Allow this extension to read and change all your data on websites you visit' option to 'On specific sites' then add the sites to the whitelist.
> Browser extensions remind us what it’s like to have deep control over how we use our computers.
Uh. Linux users would like a word here.
But more generally, there's a significant component of this that seems isomorphous to the question I was trying to discuss in a post I wrote several years ago called "Is Open Source a diversion from what users really want?"
There seems to be much more excitement about ways to "hack" software that do not involve build systems than the complete, open-ended and (theoretically) unbounded access provided by FLOSS. It's not hard to see some obvious reasons why that would be true, but still a little disappointing.
I tried to discuss that here, specifically in the contrast between Reaper's provision of scripting-but-closed-source versus Ardour's scripting-but-open-source.
As a Linux user, I disagree. It's not quite the same. Yes, I could recompile my kernel if I wanted to. I can recompile most of userspace too. But it's a hassle, especially if you want to diverge from upstream, and maintain that divergence on a long-term basis.
You can do some fun hacks with LD_PRELOAD et al, but it's nowhere near the degree of flexibility and ease of access of browser extensions.
I am allowed to modify all the software as I see fit (and that's excellent), but the friction of actually doing so is (comparatively) high.
The shift of Linux to systemd was a very similar experience to the decline of browser extensions. Yes, you can change how your computer works. But unless you're willing to put a lot of effort into maintaining those changes, the APIs you use will be cut out from under you and it'll be harder and harder to make your computer do what you wanted rather than what someone else thought it should do.
I built a chrome extension that is featured on the chrome web store[1] and the number of requests I get from shady data brokers looking to buy my extension and fill it with spyware is really concerning. A naive dev could build something cool and sell it off to someone thinking they'll maintain if for them but instead just cause a hazard for users. Google seems to do a decent job of reviewing the use of permissions but some extensions like mine really need access to everything on the page so I can only imagine what a data broker could do with it. Be careful what you install.
I think what we need the most is a "view source" for browser extensions installed from the store: make it easy to view the source and to extract the browser extension into a folder.
Make it easy to find out which web pages they access and which they modified.
Minimized/encrypted code in extensions should be forbidden. It should be very easy to read the code.
In chrome go to chrome://extensions, enable developer mode, and now you can view source for any extension in devtools. The content scripts are already available in the regular web page's devtools without enabling developer mode.
The total list of websites is available in the installation popup for the extension.
The chrome web store already bans code obfuscation. minification is allowed as there's no meaningful way to enforce the quality of variable names
You can view the source of browser extensions hosted on the Chrome Web Store without installing them. I've occasionally used this tool for that purpose: https://robwu.nl/crxviewer/
This won't help against intentionally-obfuscated code but it should help with security & privacy research for most extensions.
> Today, it requires a big jump to go from using browser extensions to creating them: you need to learn a fair amount of web development to get started, and you can’t easily develop extensions in the browser itself. What if there were a quick way to get started developing and sharing extensions in the browser? You could imagine smoothly transitioning from editing a website in the developer tools to publishing a small extension.
They're not full extensions, but userscripts and user styles go a long way, and extensions exist that allow people to create/use them in the browser (eg. Tampermonkey[0] and Stylus[1].) I consider them incredibly important, even though they can't do as much as extensions.
Userscripts are underrated! I use them for all kinds of things, like fixing GitHub's useless landing page (taking me to my repositories instead), make the Mastodon "follow" button work (by hardcoding my instance's domain), block useless results from Google search results (stackshare and the like), redirect from the YouTube "short" view to the normal video video view, remove the stupid whitespace to the right of Gmail's scrollbar, etc.
I program (not js/ts), use a massive number extensions and consider myself an absolute power user of them and refuse to ever use a browser WITHOUT the chrome/firefox extension ecosystem, I've written themes for Chrome and VScode, but I'm still here- (like pink/cyan? get on in! https://marketplace.visualstudio.com/items?itemName=mikejk8s...).
I have no idea via the Chrome prompts what extensions are able to do, read, see, access, etc. "Allowed to access data on all websites" - Is this literally all data? Like what I'm typing? Like does it know when I go URL to URL? it is just reading the assets? Is there a chrome API that limits their access that I can see? What do I actually need to worry about? I have a video zoomer that lets me zoom in on any video on any website, do I need to literally audit each extension myself and make sure it's not mirroring my data elsewhere or something?
I have no idea. How would a non technical user know any of this?
Like another user mentioned because of this I only trust a few key extensions(and like that user uBlock, Bitwarden, etc) with this sorta access.
I'd be very wary of those scrapy screen/session recording startups if for no other reason than they could be particularly vulnerable to supply chain attacks.
yes it’s that bad. i’ve written some webexts and if you ask for all data it really is all data... otherwise how would it work if you needed to change something on a page? i keep my list to my own bespoke one-off extensions or only the major big names or i audit the code manually.
Well that's a handy site you have there. Last time I fiddled with bookmarklets they didn't work on Firefox for Android, but now they do. This is going to be handy combining it with my Node-red instance.
They're much too big of a target now for spy- or malware. They have too much access to everything we do in a browser. And you can't just evaluate them once, they auto-update silently and you never know when they might be bought by a malicious actor.
I use a very limited set of extensions I trust like uBlock origin and Bitwarden. Also some developer extensions, but usually not on my main browser. Everything else is just not worth the risk for me.
Is there a way to use browser extensions safely?
Any extension that looks interesting needs access to everything I see on the screen (and even modify it), which to me seems a huge security risk. My understanding is that random extension is able to read and send somewhere almost all my data when I read my email, do online banking, etc.
Do I understand correctly the situation?
>My understanding is that random extension is able to read and send somewhere almost all my data when I read my email, do online banking, etc.
Depends on the permissions requested by the extension but often yes. The permission "Can read all data on any webpage" means exactly that.
> Is there a way to use browser extensions safely?
Yes. Depending on your paranoia /security standards. Here's what you can do ( ordered by importance.)
1. Use more than one browser (but stay away from proprietary or less popular browsers) and/or use multiple profiles (both firefox and chrome has them)
2. Have separate profiles for banking, personal email, work and general browsing. (Also good for productivity)
3. Banking profile should have no extensions.
4. Use only mozilla-vetted 'recommended' and 'security reviewed' extensions in firefox for less important accounts. Check the permissions carefully and see if they're sane. I don't use extensions in chrome at all since google web store does no vetting at all beyond automated scanning. It's the wild west out there.
5. You can be less careful with general browsing profiles as long as you don't log into important accounts. Use firefox containers (this is more for privacy though than security)
6. If some addon is tempting but not reviewed - i try to review the code (if its small and readable enough). after vetting, i disable auto-updates. A greasemonkey script that does equivalent functionality is often preferable since the code is usually smaller and readable. Disable auto-update there too. Otherwise resist the temptation to install too many addons.
Not really, I don't think. I hear a lot of people saying that you can inspect the source if you follow steps X, Y, and Z, but that's not a one time thing. Each time the extension is updated you have to do a full audit. You can install it independently to avoid updates, but then you run the risk of things breaking or falling behind (such as adblocker lists). Happy to learn from more experienced people that I'm wrong on this, but that's my current expectation from decades of using browsers and extensions.
For me, an extension can only require so much hands on effort before that effort outweighs the rewards of the extension. Years ago I had the Vimium plugin and loved it, but the provided functionality isn't worth the necessary audits. Not wanting to have to trust that it never sells out or gets hacked, I got rid of it. These days I just use a small handful of extensions (ublock origin, noscript, vuejs devtools) that I feel comfortable trusting and that make a significant impact on my browsing experience. I can manage without the rest.
It's possible to extract the extensions source, save it locally, and then manually install it. That insulates you from the risk of a malicious update.
(You could also audit the extension for complete safety, but TBH I'm usually too lazy to do that, and I assume that the risk of an extension currently being malicious is far lower than the risk of an extension later being updated to become malicious)
You're free to use only extensions which are open source. So you can build them yourself, and also spot check changes in the code whenever there's a new upstream release.
I love the idea of browser extensions but they don’t appear to be worth the security/privacy risk for my use cases. I wonder how many others are like me and too paranoid to risk extensions at all?
I honestly can't imagine not using extensions. I'm 39 and have been on the web since Netscape etc in the early 90s and I honestly care more about the extensions than I do anything the browser actually does. Like, if there were no extensions I don't think I'd care at all if I used Firefox, Chrome, Opera, etc. But Chrome and Firefox have this massive, massive ecosystem of productitivy improving extensions.
I'll give an example since I'm tooting so loudly about this, my job entails a lot of R&D and distributing knowledge to other engineers in a concise manner. I use an app called hypothesis- https://web.hypothes.is/ which is very popular in research groups.
What it does is it lets me essentially annotate websites. So for instance I have an application with a front end UI, instead of writing readmes with no interaction to the front end UI I can actually annotate each page like a how-to, or a help doc. You go to that specific URL and get notified that there's a hypothesis doc on it to read.
When I used to work at a k8s distro company I used it to help teach people how to deploy clusters, etc.
Another one is Dark Reader that makes every single website dark mode.. Ublock I can't even remember a time of my life not using to block ads.. I do have null stuff via cloudflare dns as well but still use ublock everywhere since it's also a massive security improvement blocking chaotic javascript.
Your paranoia is warranted. Like i replied in another thread up, there are a couple thing you can do. Use multiple browser/profiles. Keep a separate profile or two with no extensions for banking, shopping, email and other important stuff. You can be install a couple addons in your 'general browsing' profile. In general install only 'recommended' and security-reviewed addons with firefox.
What has always blown my mind is the lack of documentation/open source projects. With such powerful data we come across while browsing the web, it would only make sense to me there would be more tools to use an extend in this space. Browsing history is especially under valued. Even though the data technically exists, it is quite difficult to retrieve pages that have been visited, imo because of poor UX. Most people keep every Internet journey opened in hopes they will remember to return to it. I have been taking a stab at improving the UX with a history browser extension [1] which I have found myself legitimately finding value in using (a first for my personal projects lol).
More like overrated. An extension can't be better, can't offer more than what the host application allows. All these developers hang on by a thread. Compared to OS APIs, in-app APIs are more unstable. Goals, profit incentives affect a single application much harsher than how a wider ecosystem would react. It's good that they exist, but at most they are viewed as a necessary annoyance by their hosts. Chrome I won't even need to mention, but winds could turn anytime on something like VSCode as well.
Sure, Webkit and VSCode are both open source and forkable along with their extension support, but any later development would rot compatibility until, and if, a popular fork emerges.
He had the same point, where it feels like browser extensions are a big, somehow under-appreciated market. Browsers are huge platforms -- creating add-ons and making them more capable should be a popular, value-generating thing to do! But for a number of (developer) UX/UI issues, that just hasn't been the case. I hope this changes!
The web has become unusable without extensions like uBlock Origin, but extensions can contain malware.
I have moved over to only using extensions that have gone through Mozilla's manual code review necessary to become part of their "recommended extensions" program.
> Before an extension receives Recommended status, it undergoes rigorous technical review by staff security experts
It's possible that some here might confuse Web Extensions with Safari App Extensions. Safari App Extensions are not the same as Web Extensions. App extensions are written in native code (Objective C or Swift); they operate within Apple's sandbox; their data is saved within Apple's secure file system; and if they are sold via the Apple App Store, they are reviewed and approved by Apple. One never has absolute assurance that an app is proof against attack, but until I learn otherwise, I think Safari App Extensions are safe.
One benefit I would add is that cross platform support is great for browser extensions. Browsers already run on different OS's and devices. Browser API and extension API are fairly uniform among the major browsers. It's close to the cross platform support of general websites.
As an experiment I develop my latest browser extension on Firefox [1], Chrome, and Edge [2] at the same time to see how difficult it is to share the same code base. The difference is minuscule, like less than 0.01%. Chrome and Edge are essentially the same. Firefox is a bit behind in Manifest V3 support and needs a few lines Firefox specific API calls. The manifest files have a few differences. Overall, sharing the same code base is very feasible.
How do you "compile" the bookmarklets? I know of https://bookmarkl.ink/ but then we're back trusting some third-party service again. I get that it's not rocket science, but this is definitively a small hurdle to overcome.
The unfortunate part of web browser extensions is that, like the treadmill of web frameworks and app development, browsers can’t seem to stop changing and tweaking how extensions work and remove perfectly good functionality. So you end up sometimes having to rewrite an extension or its manifest with very little assistance from browser makers. But at least you don’t need to learn XUL any longer, so not all changes are bad ;-)
I've had some ideas for browser extensions over the years, most recently a few months ago. I remember looking at Mozilla docs for making a Firefox browser extension and, as a SWE w/10 YoE (mostly fullstack web), I was left confused. The documentation felt incomplete and I left the article with more questions than I had before.
I run a browser automation extension that only does actions on certain sites (clipping coupons for grocery store sites and credit card offers rewards). I created it this way specifically because I am terrified of extensions that want to read and write all sites. And you should be too.
I wish the chrome store gave badges to extensions like mine to make people more aware, give a filter when searching for new extensions, and to encourage least permissive development.
The chrome store extension rules are also unevenly enforced. Take a look at the source code for something like 1password. It is full of obfuscation and completely unintelligible which is against the store rules. I base64 encoded a single string that was my json dict in an otherwise completely readable js file and it went through on one publish but a few versions later was red flagged.
I love working with hackable software. I kind of attack it at the source level vs writing for the browser however. For example, say there’s some tool on a git repo. I will shamelessly clone it and build off of it to my own liking. Maybe I add another 1% to the code base, or maybe that repo becomes 1% of a codebase I write on my own. These are tools I could never share however, because of the rampant plagiarism I am doing, and the fact I don’t much care about getting it to run on different systems beyond my own. That being said fast and loose coding like this is a very powerful way to iterate on personal projects that never need to be anything but. I wish more things were actually hackable especially mobile or appliance hardware. Companies never like giving the power users the reigns for some reason.
Plagiarism? The vast majority of codebases I've seen on GitHub specifically allow you to do what you are doing. No need to make it sound like a bad thing.
Browser extensions, if we use the analogy as apps running within browser as an OS, are lacking simple capacities to manage the risks. Just like any app a user can install on their devices, extensions extend the attack surface. As we cannot avoid the risk by removing all of them, we can just allow users to have more control on them regardless of the browser they use. I suggested[0] using standard management APIs provided by browsers, therefore the ecosystem can use them as building blocks for FOSS and/or commercial tools. That's a very naïve idea but why not?
Talking about how bad Google is limiting ad blocker, then going ahead and saying "I use Chrome extensions" I am assuming that means in Chrome. Its your fault then. Move to Brave (has ad Blocker without limitations build in, you can use all Chrome extensions) or Firefox or whatever browser but if you continue to use Googles shit then you are helping them kill what makes extensions great. They do not even support extensions on mobiles, obviously with the excuse of performance but its so most people who are actually on mobile can't block ads and otherwise remove commercial toxicity from the web.
Browsers REALLY have to fix the "read all your data" problem. Even with domain limitations, if you use an extension for a site, that means you use that site a lot, so you probably even have an account on it.
I think extensions should declare a bunch of CSS selectors that they need data access to, and if an element doesn't match those selectors, then all attributes and .innerText/.innerHTML should return undefined.
I don't care if normal people can't understand what CSS selectors are. Just hide it in "view technical details" box or something.
While I fully agree with the hacker ethos of this post, a major issue I have with extensions today is that they're hard to trust. Chrome updates them automatically in most cases, which means a malicious update can easily slip by undetected. There are hordes of data companies looking to buy popular extensions or pay their authors to sneak spyware or other trackers in. The risk surface is massive, which is sad because I believe extensions are also one of the best modalities for extending what people can do online.
Same thing with NPM/PIP dependencies (they can launch arbitrary code and clean up after, unlike Java deps from maven that just copy immutable archives).
"Computing is still young, and platforms are changing quickly. Modern browser extensions and smartphone platforms have only been around for about a decade. These platforms will evolve, and there will be new platforms after them, and we will get to collectively decide how open they will be."
I really like this final comment. As a non expert in computing, I also often think about how young is this field, and I fantasize about how it will evolve, hopefully towards a more accessible and open ecosistem.
> we will get to collectively decide how open they will be.
The author is way more optimistic than me here. I'd love if that were the case, but with the way the wind is blowing, I doubt that it'll be a collective decision between users and the big tech companies running today's computing platforms. If anything, it'll come through regulation.
It's highly unlikely that e.g. iOS or Android will suddenly and out of their own initiative open up their APIs in a way that would allow building anything like "reading mode"/distraction removers, ad blockers, data extraction allowing mashups between different apps etc.
Google's main customers aren't Android users, but app developers who run in-app ads and sell in-app purchases; the same is to a large extent also true for Apple (although DMA-like changes might shake up things a bit, and their reasoning for not introducing such apps will likely be security and platform integrity, not ads).
I wanted to build an internal company extension, but for that (chrome) you still need to go through the review process with Google and it is even worse than Apple’s App Store reviews.
I love to build extensions.
Such a nice thing they made website source easy to read and manipulate for your own usage, and can even share your modifications to build an extension.
It is just like your newspaper, you can write on it, cut precies out, etc. You can do with the site what you want for yourself.
The newspaper designed also it how they like, but you can also grap your scissors and pen to change it for yourself.
Back when Facebook was fun i paid 5 dollars to write a cross text extension. Back then i was doing a lot of those jokes where you get a popular saying, strike one word and write another one to make it funny.
What was funny to me is the fact the Facebook started to revert my posts when using this. I remember recording a video about it, don't know if i still have it though.
I love browser extensions both as a user and as a hacker.
The elephant in the room is browser extensions are not a web standard and Google or Firefox can make a breaking change to you at any time “for security”. Also Chrome can boot you out of the store or ask for 100 point ID check in the future.
Extensions are great but a web standard for them would be even better.
I really like your article I agree with your point that extensions are tools for extend current software functionalities and see beyond the creators...
Currently Im working on a Gmail and Outlook extension for email called Mailverse that add superpowers to the current email clients.
> Compatibility: Because extensions hook into websites in unsupported ways, updates to websites often result in extensions temporarily breaking, and extension authors scrambling to fix them.
Has anyone who's built a browser extension solved this?
The best you can do is get an early warning by running your extension via an automation framework and getting alerts on errors then publishing a fix and waiting for approval from Google.
Too many unknown unknowns. You're searching for an element to modify or take an action on based on the text content/class/id/aria-label/type? Someone changed apple to train. Or completely changes the element hierarchy. How would you predict or recognize that to modify your logic and be certain it works before publishing to your hundreds/thousands/millions of users?
I think that metamask is an example of a great add on that proves how great browser extensions are. Also, I think that the most popular browser extensions like metamask will eventually become built into every browser
MM terrifies me as an extension. I run it in its own separate browser profile with no other extensions installed. My fear is actually that another extension can hijack MM.
Do they work on mobile yet, all of them? Without that, it is not so useful for me as real investment of my time to make them; 60% of my screen time I wouldn’t be able to use them.
Qui prodest is the question you must ask when you hear the usual points against, mostly security. It's not that every person that dislike extensions or repeat the same arguments is paid by "them", but it's a little shocking seeing so many negative opinions in a forum called Hacker News.
This comment: https://news.ycombinator.com/item?id=39251996 by Retr0id hits the nail in the head. It's not that we cannot modify the software, but there are so many layers of inconvenience... what about modifying and recompiling the browsers themselves? They're so big now. The solution would be extensions. But no. Security.
Tangential: What tooling do you use to develop Extensions. I used React and couldn't find something any testing libraries which works on background and content scripts.
It has filtering capabilities (filter in title, link, text, or username via regex) and softhide (hide all the items on a page without pulling others from the next page).
On Android I use a two fisted approach; Chrome for things that require auth/payments, Kiwi for everything else. Kiwi is an open source fork of Chrome, and it allows extensions. Unfortunately it's not up to date to the latest (secure) Chrome, but I accept that because not having control over the browser is its own form of exploit.
You've always been able to add your own payment system. I sell a freeium extension with payments going through Paddle (I guessed Google might deprecate their payment system so didn't risk it!). Gumroad and Lemon Squeezy are other examples you could use, where they both have simple license key checking web APIs.
I actually make a living selling browser extensions in the iOS and Mac App Store. Apple users are willing to pay.
I used to sell my extension in the Chrome Web Store, until Google eliminated Chrome Web Store Payments (mentioned by another commenter). However, even with Google's payment system, my sales were extremely low; thus it wasn't worth my time to implement my own payment system in the Chrome Web Store.
Apparently Firefox also used to have a payment system for add-ons but eliminated it.
This is purely a choice by the browsers. Chrome and Firefox have chosen to demonetize extensions. Safari has chosen to monetize extensions.
Safari extensions are an exception here. They are distributed through the Mac OS App store, often as an optional part of a desktop App that can then be enabled within Safari.
gklitt|2 years ago
1) AI
AI is rapidly getting better at coding. Current AI is often bad at high-level architecture but is capable of making small local tweaks. Seems like a good fit for the kind of code you need to write a browser extension!
I'm exploring this direction; wrote more about it in "Malleable software in the age of LLMs" [1]
2) Security
Having talked to people who worked on various extension platforms including the browser extensions API, I see more clearly than I did five years ago that security is often the key bottleneck to deploying extension platforms meant for mass adoption. Anytime you want everyday computer users to be installing invasive extensions to important software from untrusted third parties, it's gonna be challenging to protect them.
That said, I still think that conversations around extensions tend to focus too much on security at the expense of all else. Customizability is important enough that it may be worth prioritizing it over security in some cases.
I also think there are many reasonable paths forward here. One is to exchange extensions with trusted parties -- e.g, coworkers or friends -- rather than installing from random people on the internet. Another might be to only build your own extensions; perhaps that'll become more viable with AI-assisted programming, although that introduces its own new security issues. And finally, I've met a few people who have smart ideas for architecting software in a way that helps resolve the core tensions; see [2] for an example.
3) Backend access as a key limitation
I've increasingly realized that the fact that browser extensions can only access client code in a fairly server-centric web means that many deep customizations are out of reach. Perhaps you can't read the data you want, or there's not a write API to do the thing you need.
While I'm optimistic about what extensions can do within the boundary of the client, this is an inherent limitation of the platform.
At Ink & Switch (the research lab I now work for), we're working towards local-first [3] software: collaborative software where the data and the code lives on your device. Among other benefits like privacy, we think this is the right foundation for more powerful extensions, since your data and the app code aren't locked away on a server.
[1] https://www.geoffreylitt.com/2023/03/25/llm-end-user-program...
[2] https://www.wildbuilt.world/p/inverting-three-key-relationsh...
[3] https://www.inkandswitch.com/local-first/
jameshart|2 years ago
Anything that is open enough to let someone who knows what they're doing customize the system to their liking, will also be abused by bad actors persuading people who don't know what they are doing to customize the system in ways that harm them.
The fact I can write my own custom keyboards on Android is great! But the fact someone can convince your grandparents to install a keyboard that includes an embedded key logger is not!
Browser extensions have always been a malware-rich ecosystem. Joking about removing all the toolbars from your parents' Internet Explorer whenever you went home for thanksgiving dates back to about 1999.
exe34|2 years ago
Yes, you may read my phone contents, and as far as you know, it's the contents, the whole contents and nothing but the contents - it just happens to be a folder to me. An empty folder. It's a new phone you see.
Yes here's my contact list. Sorry it's mostly empty, there's just the costly premium number in there. I hope your mothership doesn't try to call it.
Yes, here's my microphone. Oh thank you, yes, I do a good impression of Rick Astley.
Pictures on my phone? Oh yes, right this way. It's all pictures of turnips. Do you like them?
samwillis|2 years ago
I'm particularly interested in how general purpose CRDT toolkits like Automerge and Yjs could become the backing filetype for local-first software with interoperable sync/collaboration backends. The user can then have direct access to the underlaying data via standard tooling. Files can be linked, embedded within each other, forked and merged.
We could have a new hypermedia platform built on this, where all documents are possible to be shared, forked, edited in realtime...
Basically, love what you are all doing at Ink and Switch, excited to see what you publish next.
megous|2 years ago
Deployment is just terrible. There's no way I'm sending my extensions somewhere over the internet to get signed after every change so I can use code I wrote on my own computer. WTF distopia is that? Nevermind the last time I checked the tooling for signing is some stupid ass 100MiB+ NPM/node app I have to now trust too. It's bigger than a freaking Linux kernel build itself.
tomcam|2 years ago
iansinnott|2 years ago
100% this. It should at least be acknowledged that "security" often means less options for the user.
unknown|2 years ago
[deleted]
pyinstallwoes|2 years ago
nottorp|2 years ago
Maybe they attempt to fix them because they're limited by the platform and mostly low quality software?
paxcoder|2 years ago
[deleted]
akkartik|2 years ago
Most browser extensions by weight are Google Chrome extensions. Google Chrome is unambiguously demonstrating that no API is safe in its quest to juice revenues. Anybody who builds extensions using Chrome's APIs should be very aware that they're quite possibly putting effort into something a juggernaut will stomp away without a second thought.
I don't care to live in strategically lost situations like this, so I think the conversation should be about Firefox extensions. Which also don't have a great track record (the transition to Google Chrome compatibility a few short years ago still annoys me greatly), but are a qualitatively better counter-party to deal with.
foobiekr|2 years ago
1. They increase the attack surface of the browser 2. They have routinely been transferred to (for money) or taken over by malicious entities 3. Often they subtly break things in ways that are fine for expert users but which result in support reach out by others
The whole extension thing is a mess.
Animats|2 years ago
emodendroket|2 years ago
How unlike developing for literally any other environment.
swozey|2 years ago
w3news|2 years ago
1vuio0pswjnm7|2 years ago
Why would the conversation not be about editing the Firefox source code to add or remove "features" to meet one's personal needs.
What is the point of "open source" if, to use the term from the submission title, the software is effectively un-"hackable".
There is no small amount of "attack surface", and many unneeded "features", that could be removed from Firefox to someone's benefit, maybe it's only one user,^0 but but that will effectively never happen. Why. It is open source so anyone should be able to audit the code and change it to their liking.
0. To be clear, I am not commenting about "most users" or the majority of users or whatever. I am referring to the small class of users who are explicitly dissatisfied.
In 1995, there were numerous non-commercial browsers. Netscape, the source of Mozilla, was one of the few attempting to commercialise.
https://www.w3.org/Clients.html
There is nothing wrong with having "all-in-one" programs. As long as other "not-all-in-one" programs also exist as alternatives.
Arguably, the aim of the "all-in-one" program may be to obviate the existence of other programs, namely smaller, simpler ones.
Those pushing gigantic web browsers might assume and argue, e.g., that it is inconvenient to have different programs for different tasks. This could be true. For some users. However it is also true that small programs can be made to work with each other. UNIX is the example. Over thirty years of continual growth. The companies behind the giant browsers probably could not survive without it. There is choice.
Large "all-in-one" programs and small ones like UNIX utilities can co-exist. The two are not mutually exclusive.
Personally, I prefer not to use a giant browser to make HTTP requests on the open internet. It is overkill and there is a profound lack of user control. (Hence "solutions" like "sandboxing", and an ever-incresing number of Band-Aids that serve only to add more needless complexity. The companies releasing these giant "all-in-one" programs are funded by advertising. Enough said.) For me the "modern" browser is more useful as an image viewer and media player.
It is possible to "browse" the web without advertising, tracking or other annoyances, I do it every day,^1 but not with one of these giant advertising-supported "all-in-one" programs like the "modern" web browser. It is a losing battle to try. No amount of "extensions" can change the balance of power over those giant programs.
Despite that these "browsers" are "open source", dissatisfied users who know how to program are not editing the source code to remove the bad bits. Instead they helplessly complain in forums like HN.
1. I am not a typical user. (Though I might be in 1995.) I prefer text over graphics. I like to read without distraction. Because text is easy for the user to manipulate, it seems to have a defense against advertising that is not available with graphics. For example, if text ads were inserted into response bodies, I can easily filter them out.
throwaway63467|2 years ago
lapcat|2 years ago
I would say, as the developer of an upfront paid web browser extension, that upfront paid web browser extensions are underrated. ;-)
It's a truism that if you're not the customer, you're the product. But what if you are the customer? I think a lot of the mistrust of browser extensions is due to the difficulty in monetizing extensions directly. If you're making nothing from an extension, and someone offers you a nice check to acquire the extension, it can be difficult to turn down that money, especially if the extension is a support burdern for the developer. Of course I have my price too, as almost everyone does, but at this point the price would have to be 7 figures (maybe 8??), which I don't think anyone would ever pay for my extension. My user base is relatively small, and thus doesn't provide a huge opportunity for data collection or other nefarious schemes, precisely because the extension is paid rather than free.
jwells89|2 years ago
Of course risks exist with desktop apps too, but historically this kind of buy-and-exfiltrate scheme is comparatively rare with desktop apps, particularly on macOS where signed apps are sandboxed and can’t do a whole lot without user permissions.
wintermutestwin|2 years ago
/Agree. It is crazy that I have to trust some unknown coder with all my browser data just to enable vertical tabs in Firefox.
Of course many of these extensions are open source and thus auditable. As I lack the skill to detect nefarious code, I am wondering if this might be a good use case for AI. Anyone have thoughts on building a good malware finding prompts?
unknown|2 years ago
[deleted]
seanwilson|2 years ago
A tip in Chrome that I never see mentioned if you want to be extra safe when trying extensions:
- Go to Profiles > Add profile > Continue without account
- Install any extensions you feel like in this profile and they're completely isolated from the tabs logins, history, cookies and so on in your regular profile. Similarly, you can run Chrome Beta or Chrome Canary for installing extensions into, alongside regular Chrome.
E.g. you can install 10s of potentially risky web development extensions into this profile (they usually need a lot of access to do what they need to do), and keep them sandboxed away from the profile where you do your personal banking or login to work websites.
It's not practical for every extension, but I do this for my web development stuff and only use a couple of extensions for personal stuff.
I sell a browser extension where the permission I really want to ask for is "can only observe the network traffic it sends/receives in its own tabs" but I'm lumped with having to ask for the "read and write all your data" permission, but I make sure to share the above tip in the description (shameless plug: https://chromewebstore.google.com/detail/checkbot-seo-web-sp...).
imhoguy|2 years ago
sidwyn|2 years ago
Hopefully transparency is one way to overcome this trust barrier.
Springtime|2 years ago
Yeah it would be nice there were a way to limit the entire scope of an addon's permissions to a whitelist of domains. Chromium has a way of whitelisting domains an addon can run on[1] but I've assumed it doesn't affects the broader permissions you mention (general history, etc).
[1] Click 'Details' of the addon and switch the 'Allow this extension to read and change all your data on websites you visit' option to 'On specific sites' then add the sites to the whitelist.
justsomehnguy|2 years ago
PaulDavisThe1st|2 years ago
Uh. Linux users would like a word here.
But more generally, there's a significant component of this that seems isomorphous to the question I was trying to discuss in a post I wrote several years ago called "Is Open Source a diversion from what users really want?"
There seems to be much more excitement about ways to "hack" software that do not involve build systems than the complete, open-ended and (theoretically) unbounded access provided by FLOSS. It's not hard to see some obvious reasons why that would be true, but still a little disappointing.
I tried to discuss that here, specifically in the contrast between Reaper's provision of scripting-but-closed-source versus Ardour's scripting-but-open-source.
https://discourse.ardour.org/t/is-open-source-a-diversion-fr...
Retr0id|2 years ago
As a Linux user, I disagree. It's not quite the same. Yes, I could recompile my kernel if I wanted to. I can recompile most of userspace too. But it's a hassle, especially if you want to diverge from upstream, and maintain that divergence on a long-term basis.
You can do some fun hacks with LD_PRELOAD et al, but it's nowhere near the degree of flexibility and ease of access of browser extensions.
I am allowed to modify all the software as I see fit (and that's excellent), but the friction of actually doing so is (comparatively) high.
lmm|2 years ago
The shift of Linux to systemd was a very similar experience to the decline of browser extensions. Yes, you can change how your computer works. But unless you're willing to put a lot of effort into maintaining those changes, the APIs you use will be cut out from under you and it'll be harder and harder to make your computer do what you wanted rather than what someone else thought it should do.
yoav|2 years ago
So chrome (or whatever) becomes a platform for distributing and executing software.
jlawrence6809|2 years ago
[1] https://chromewebstore.google.com/detail/css-selector-helper...
swozey|2 years ago
silvestrov|2 years ago
Make it easy to find out which web pages they access and which they modified.
Minimized/encrypted code in extensions should be forbidden. It should be very easy to read the code.
E.g. this extensions says "records user activity", but what is that really: https://chromewebstore.google.com/detail/coffeelings/hcbddpp...
a13o|2 years ago
The total list of websites is available in the installation popup for the extension.
The chrome web store already bans code obfuscation. minification is allowed as there's no meaningful way to enforce the quality of variable names
Sephr|2 years ago
This won't help against intentionally-obfuscated code but it should help with security & privacy research for most extensions.
unknown|2 years ago
[deleted]
unknown|2 years ago
[deleted]
Sophira|2 years ago
They're not full extensions, but userscripts and user styles go a long way, and extensions exist that allow people to create/use them in the browser (eg. Tampermonkey[0] and Stylus[1].) I consider them incredibly important, even though they can't do as much as extensions.
[0] https://www.tampermonkey.net/ [1] https://chrome.google.com/webstore/detail/stylus/clngdbkpkpe...
remram|2 years ago
swozey|2 years ago
I have no idea via the Chrome prompts what extensions are able to do, read, see, access, etc. "Allowed to access data on all websites" - Is this literally all data? Like what I'm typing? Like does it know when I go URL to URL? it is just reading the assets? Is there a chrome API that limits their access that I can see? What do I actually need to worry about? I have a video zoomer that lets me zoom in on any video on any website, do I need to literally audit each extension myself and make sure it's not mirroring my data elsewhere or something?
I have no idea. How would a non technical user know any of this?
Rapzid|2 years ago
Like another user mentioned because of this I only trust a few key extensions(and like that user uBlock, Bitwarden, etc) with this sorta access.
I'd be very wary of those scrapy screen/session recording startups if for no other reason than they could be particularly vulnerable to supply chain attacks.
weaksauce|2 years ago
mg|2 years ago
- Are easy to edit
- Are inactive until clicked
- Work in all browsers
- Work on mobile
- Integrate nicely into the UI. I can move them around, put them into any bookmark folder, assign shortcuts.
I wrote this bookmarlet editor which makes it easy to convert between clean code and a bookmarklet:
https://www.gibney.org/bookmarklet_editor
dugite-code|2 years ago
Got any good bookmarklets you want to share?
fabian2k|2 years ago
I use a very limited set of extensions I trust like uBlock origin and Bitwarden. Also some developer extensions, but usually not on my main browser. Everything else is just not worth the risk for me.
empiricus|2 years ago
mozball|2 years ago
Depends on the permissions requested by the extension but often yes. The permission "Can read all data on any webpage" means exactly that.
> Is there a way to use browser extensions safely?
Yes. Depending on your paranoia /security standards. Here's what you can do ( ordered by importance.)
1. Use more than one browser (but stay away from proprietary or less popular browsers) and/or use multiple profiles (both firefox and chrome has them)
2. Have separate profiles for banking, personal email, work and general browsing. (Also good for productivity)
3. Banking profile should have no extensions.
4. Use only mozilla-vetted 'recommended' and 'security reviewed' extensions in firefox for less important accounts. Check the permissions carefully and see if they're sane. I don't use extensions in chrome at all since google web store does no vetting at all beyond automated scanning. It's the wild west out there.
5. You can be less careful with general browsing profiles as long as you don't log into important accounts. Use firefox containers (this is more for privacy though than security)
6. If some addon is tempting but not reviewed - i try to review the code (if its small and readable enough). after vetting, i disable auto-updates. A greasemonkey script that does equivalent functionality is often preferable since the code is usually smaller and readable. Disable auto-update there too. Otherwise resist the temptation to install too many addons.
ysavir|2 years ago
For me, an extension can only require so much hands on effort before that effort outweighs the rewards of the extension. Years ago I had the Vimium plugin and loved it, but the provided functionality isn't worth the necessary audits. Not wanting to have to trust that it never sells out or gets hacked, I got rid of it. These days I just use a small handful of extensions (ublock origin, noscript, vuejs devtools) that I feel comfortable trusting and that make a significant impact on my browsing experience. I can manage without the rest.
senkora|2 years ago
(You could also audit the extension for complete safety, but TBH I'm usually too lazy to do that, and I assume that the risk of an extension currently being malicious is far lower than the risk of an extension later being updated to become malicious)
Hackbraten|2 years ago
monkellipse|2 years ago
Hackbraten|2 years ago
That way I force myself to build them from source.
My habit is also to inspect the changes between upstream releases. It's mostly spot checks, but it's better than nothing.
[1]: https://aur.archlinux.org/packages?O=0&SeB=nd&K=firefox-exte...
extesy|2 years ago
swozey|2 years ago
I'll give an example since I'm tooting so loudly about this, my job entails a lot of R&D and distributing knowledge to other engineers in a concise manner. I use an app called hypothesis- https://web.hypothes.is/ which is very popular in research groups.
What it does is it lets me essentially annotate websites. So for instance I have an application with a front end UI, instead of writing readmes with no interaction to the front end UI I can actually annotate each page like a how-to, or a help doc. You go to that specific URL and get notified that there's a hypothesis doc on it to read.
When I used to work at a k8s distro company I used it to help teach people how to deploy clusters, etc.
Another one is Dark Reader that makes every single website dark mode.. Ublock I can't even remember a time of my life not using to block ads.. I do have null stuff via cloudflare dns as well but still use ublock everywhere since it's also a massive security improvement blocking chaotic javascript.
It's amazing for training situations.
https://web.hypothes.is/
mozball|2 years ago
seagulls|2 years ago
breadchris|2 years ago
[1] https://github.com/lunabrain-ai/lunabrain/tree/main/js/exten...
poisonborz|2 years ago
Sure, Webkit and VSCode are both open source and forkable along with their extension support, but any later development would rot compatibility until, and if, a popular fork emerges.
dividendpayee|2 years ago
He had the same point, where it feels like browser extensions are a big, somehow under-appreciated market. Browsers are huge platforms -- creating add-ons and making them more capable should be a popular, value-generating thing to do! But for a number of (developer) UX/UI issues, that just hasn't been the case. I hope this changes!
GeekyBear|2 years ago
I have moved over to only using extensions that have gone through Mozilla's manual code review necessary to become part of their "recommended extensions" program.
> Before an extension receives Recommended status, it undergoes rigorous technical review by staff security experts
https://support.mozilla.org/en-US/kb/recommended-extensions-...
cc101|2 years ago
ww520|2 years ago
As an experiment I develop my latest browser extension on Firefox [1], Chrome, and Edge [2] at the same time to see how difficult it is to share the same code base. The difference is minuscule, like less than 0.01%. Chrome and Edge are essentially the same. Firefox is a bit behind in Manifest V3 support and needs a few lines Firefox specific API calls. The manifest files have a few differences. Overall, sharing the same code base is very feasible.
[1] https://addons.mozilla.org/en-US/firefox/addon/one-page-favo...
[2] https://microsoftedge.microsoft.com/addons/detail/one-page-f...
Edit: You might ask where the Chrome version. Well, I had a heck of time to create a new Google account for deployment. Stay tune.
account-5|2 years ago
olejorgenb|2 years ago
lstamour|2 years ago
The unfortunate part of web browser extensions is that, like the treadmill of web frameworks and app development, browsers can’t seem to stop changing and tweaking how extensions work and remove perfectly good functionality. So you end up sometimes having to rewrite an extension or its manifest with very little assistance from browser makers. But at least you don’t need to learn XUL any longer, so not all changes are bad ;-)
ustad|2 years ago
https://github.com/mdn/webextensions-examples
gymbeaux|2 years ago
mcoliver|2 years ago
I wish the chrome store gave badges to extensions like mine to make people more aware, give a filter when searching for new extensions, and to encourage least permissive development.
The chrome store extension rules are also unevenly enforced. Take a look at the source code for something like 1password. It is full of obfuscation and completely unintelligible which is against the store rules. I base64 encoded a single string that was my json dict in an otherwise completely readable js file and it went through on one publish but a few versions later was red flagged.
kjkjadksj|2 years ago
BenjiWiebe|2 years ago
feldrim|2 years ago
0. https://zaferbalkan.com/2023/10/03/browser-extension-api.htm...
redder23|2 years ago
AlienRobot|2 years ago
I think extensions should declare a bunch of CSS selectors that they need data access to, and if an element doesn't match those selectors, then all attributes and .innerText/.innerHTML should return undefined.
I don't care if normal people can't understand what CSS selectors are. Just hide it in "view technical details" box or something.
smudge-ai|2 years ago
iansinnott|2 years ago
It is definitely a risk for users though.
You can also "opt out" of automatic updates, but the process is a bit involved.
1. Locate the extension on disk
2. Copy it to some other location
3. Add it as a developer extension via the "Load unpacked" button in the extensions screen.
I would also advocate for extensions being open source, but of course most of them are not.
deepsun|2 years ago
quicon|2 years ago
I really like this final comment. As a non expert in computing, I also often think about how young is this field, and I fantasize about how it will evolve, hopefully towards a more accessible and open ecosistem.
lxgr|2 years ago
The author is way more optimistic than me here. I'd love if that were the case, but with the way the wind is blowing, I doubt that it'll be a collective decision between users and the big tech companies running today's computing platforms. If anything, it'll come through regulation.
It's highly unlikely that e.g. iOS or Android will suddenly and out of their own initiative open up their APIs in a way that would allow building anything like "reading mode"/distraction removers, ad blockers, data extraction allowing mashups between different apps etc.
Google's main customers aren't Android users, but app developers who run in-app ads and sell in-app purchases; the same is to a large extent also true for Apple (although DMA-like changes might shake up things a bit, and their reasoning for not introducing such apps will likely be security and platform integrity, not ads).
mosselman|2 years ago
fritzo|2 years ago
w3news|2 years ago
pknerd|2 years ago
atum47|2 years ago
What was funny to me is the fact the Facebook started to revert my posts when using this. I remember recording a video about it, don't know if i still have it though.
juxtapose|2 years ago
quickthrower2|2 years ago
The elephant in the room is browser extensions are not a web standard and Google or Firefox can make a breaking change to you at any time “for security”. Also Chrome can boot you out of the store or ask for 100 point ID check in the future.
Extensions are great but a web standard for them would be even better.
lapcat|2 years ago
dannysuarezpab|2 years ago
dang|2 years ago
Browser extensions are underrated: the promise of hackable software - https://news.ycombinator.com/item?id=20556382 - July 2019 (186 comments)
sidwyn|2 years ago
Has anyone who's built a browser extension solved this?
mcoliver|2 years ago
Too many unknown unknowns. You're searching for an element to modify or take an action on based on the text content/class/id/aria-label/type? Someone changed apple to train. Or completely changes the element hierarchy. How would you predict or recognize that to modify your logic and be certain it works before publishing to your hundreds/thousands/millions of users?
zubairq|2 years ago
latchkey|2 years ago
anonzzzies|2 years ago
narag|2 years ago
This comment: https://news.ycombinator.com/item?id=39251996 by Retr0id hits the nail in the head. It's not that we cannot modify the software, but there are so many layers of inconvenience... what about modifying and recompiling the browsers themselves? They're so big now. The solution would be extensions. But no. Security.
prakhar897|2 years ago
everybodyknows|2 years ago
Retr0id|2 years ago
sn0n|2 years ago
drakerossman|2 years ago
Browser Extension for Hacker News written in Rust WASM:
https://github.com/drakerossman/hackernews-userscript
It has filtering capabilities (filter in title, link, text, or username via regex) and softhide (hide all the items on a page without pulling others from the next page).
ulrischa|2 years ago
ggm|2 years ago
dboreham|2 years ago
Retr0id|2 years ago
rekoil|2 years ago
isodev|2 years ago
blibble|2 years ago
safari and firefox support them
davidy123|2 years ago
rz2k|2 years ago
adamsiem|2 years ago
cranberryturkey|2 years ago
seanwilson|2 years ago
You've always been able to add your own payment system. I sell a freeium extension with payments going through Paddle (I guessed Google might deprecate their payment system so didn't risk it!). Gumroad and Lemon Squeezy are other examples you could use, where they both have simple license key checking web APIs.
lapcat|2 years ago
I actually make a living selling browser extensions in the iOS and Mac App Store. Apple users are willing to pay.
I used to sell my extension in the Chrome Web Store, until Google eliminated Chrome Web Store Payments (mentioned by another commenter). However, even with Google's payment system, my sales were extremely low; thus it wasn't worth my time to implement my own payment system in the Chrome Web Store.
Apparently Firefox also used to have a payment system for add-ons but eliminated it.
This is purely a choice by the browsers. Chrome and Firefox have chosen to demonetize extensions. Safari has chosen to monetize extensions.
senkora|2 years ago
aloisdg|2 years ago
You can still open a Liberapay if you want
mettamage|2 years ago
unknown|2 years ago
[deleted]
unknown|2 years ago
[deleted]
bmacho|2 years ago
Don't create them.
Don't use them.
Use Tampermonkey/userscript instead.