|
|
|
|
|
|
by blibble
3262 days ago
|
|
|
it's more the automatic silent updating that's the problem people sell their high value extensions, then the new owners load them full of malware chrome doesn't let you turn the updating off... I have previously resorted to removing update URL from the extension manifest manually... |
|
|
I wrote some scripts to provide version pinning (just automates the manual editing of the manifests) but then you have to consider critical vulnerabilities in things like the LastPass extension where you absolutely want updates ASAP. So then you either have to have a curated extension list or maybe just separate extensions into "trusted" ie provided by reputable businesses as part of their product (lastpass, okta, etc) and "un-trusted." Even then, if the malware isn't in your face, you have no idea if the pinned version of your un-trusted extensions is actually non-malicious without auditing the code.