[amenod]

FTFY: To be clear, this is more a criticism of _every browser's_ security model,...

I do agree with you though. What is surprising is that technically, this should be fairly easy to solve:

- own the CI system (to make sure the sources match the built versions)

- make sources (the ones that went into build) clearly visible

- disable silent updates

[seanwilson]

The solution should surely involve more granular permissions?

I'm assuming this permission has no need to read the body of network responses, inject anything into the responses, read cookies etc.

However, it probably has no option than to request the "read and change all network data" permission because there is nothing weaker that will let it do what it needs to do.

Making sources available isn't a scalable option to help with this in my opinion. Who is going to be doing thorough security audits of every extension + every update?

[iSoron]

This is exactly the approach taken by F-Droid (for Android apps). All apps available on F-Droid have been automatically built from a publicly available repository, and you can either download the binary (APK) or the source tarball that they used to produce it. Updates are manual.