[DarkLinkXXXX]

It seems it's not necessarily malicious. From https://bugs.chromium.org/p/chromium/issues/detail?id=399859:

"The popup is anchored to the extension icon, which might be in overflow or not even exist, in which case it is anchored to the Wrench menu. That kind of anchoring would make the message in the popup to appear to be from the Chrome browser (since it points to the chrome UI) and would present a vector for tricking users into thinking the message is from a trusted source.

Since this is not safe to allow all extensions to do we'd need a lot better reasoning than "I'd like to use this in my extension" before allowing widespread use of this API."

[ahochhaus]

I agree that the API limitation is most likely not malicious and I did not intend to imply otherwise. Still, lack of malice does not change the fact that the Google Cast extension has a competitive advantage over other non-Google extensions (which can't use all of the same APIs).

[wbillingsley]

This seems remarkably similar to Philips:

"While the Philips Hue system is based on open technologies we are not able to ensure all products from other brands are tested and fully interoperable with all of our software updates. For guaranteed compatibility you need to use Philips Hue or certified Friends of Hue products."

After all, it'd just be downright unthinkable that any non-Philips lightbulb should be compatible with our light sockets, that any brand of plug should fit into our wall sockets, or that non-Google-branded plug-in should be able to use a web browser's APIs... I mean, goodness, next we'll be thinking that the term "plug-in API" suggests its supposed to allow things that other people created to interoperate...

[cmdrfred]

I agree, I would guess extensions also probably don't have access to chrome's password store. Trusted code can be handled differently.