[alexanderby]

Firefox add-ons pass full source code review before the submission after the Stylish incident. Safari extensions also pass manual review, Apple asks developer to send an ID card photo. Not sure about Chrome, you have to simply trust me, the code is not obfuscated and you can always locate the files and see what the extension does in your browser. Google recently announced some security changes https://blog.chromium.org/2018/10/trustworthy-chrome-extensi...

[kristofferR]

Is that really true? I was really alarmed when this extension requested access to all websites and added a ton of obfuscated code with the latest version for no apparent reason: https://addons.mozilla.org/en-US/firefox/addon/restore-old-t...

I've reported it, but nothing seems to happen.

[rickycook]

yes. to submit to firefox you’re required to provide them with the source code, but you may transpile it so long as they can verify that it’s the same AFAIK?

[gnode]

> Apple asks developer to send an ID card photo.

To me this sounds like the most vital thing to improve trust. Having browser developers review all the source code in detail is unrealistic, and even then, won't defeat underhanded programming (is it a bug or a deliberate vulnerability?). Legal accountability combined with auditability at least provide a deterrent to publishing malicious software.

[stephenmm]

Yah I am sure hardcore hackers are giving up the gig b/c they need a PHOTO of an ID! And now the ones who are legitimate have to trust a company with their IDs? This seems like a VERY weak stop-gap measure to a very difficult problem.

[21]

DO they also inspect the hundreds of npm packages an extension might use?

[saagarjha]

> Apple asks developer to send an ID card photo

Is this something specific to Safari extensions? I have never heard of anyone having to do this.

[anewguy9900]

to be less disingenuous, the review process seems to be limited to looking for specific known attack vectors, rather than a full review or evaluation of the sourcecode (which would be impractical). that said, yes, someone at mozilla does at least eyeball it