[metastart]

Google recently removed several hundred extensions which were found to contain malware. Tons of extensions have been caught saving & selling users' browsing history, notably the ironically titled popular "web of trust".

It's sadly not uncommon for malware hosts to acquire extensions and then use them to inject ads to spread their malware.

The Epic Privacy Browser presciently blocked almost all extensions citing those vulnerabilities and its desire to provide a reliably high level of privacy. It's kept its users safe while Chrome, Brave and other browsers' users were vulnerable.

[derefr]

I'm continually surprised that we don't have a clear delineation between extensions that "do" something—maybe relying on well-known third-party SaaS APIs in the process—and extensions that exfiltrate your browsing data.

99% of extensions don't need to send the URL anywhere without the user clicking to activate them; nor do they need to send the whole content of the page to a server, ever.

You know how macOS now has a capability-model for apps, where it sometimes says "X wants Y, and it's been denied it; you can go into System Preferences to manually give it Y"? That tends to neatly fix the "99% of apps don't need Y" problem, by increasing the friction to getting Y to the point that users won't generally bother unless the whole point of the app is Y.

I'd love to see that implemented for browser extensions—or, in fact, for individual tuples of {extension, trigger, data, third-party origin}.

In the sane case, that'd look something like: {Instapaper, on click of the extension's button, current tab's URL, instapaper.com}

It'd be pretty clear, just from looking at one of those entries, whether it's something that contributes to the functionality of the extension or not. Extension authors would undoubtedly write "installation instructions" urging users to enable these; but if the instructions say to enable a stanza like {MalwareExt, on page load, sends everything it can, to badserver.info}... well, even the most guileless user would think twice, no?

[michaelbuckbee]

The issue is typically that the browser itself doesn't cleanly split those roles.

Take something like Vimium - it's an extension that lets you use keyboard shortcuts to navigate webpages. You could "scope" it's interactions to adding keyboard shortcuts and modifying the page to indicate links: no external calls, etc.

But it could still add a script to the dom (and it would execute) or it could open a hidden iframe and do a bunch of wild stuff with that.

[derefr]

> But it could still add a script to the dom (and it would execute) or it could open a hidden iframe and do a bunch of wild stuff with that.

Maybe right now this stuff is a free-for-all, but shouldn't these scripts + iframes be executing, in some sense, under the CORS origin of the extension? (Not quite CORS in the traditional sense—you do want e.g. Greasemonkey to be able to mess with pages on all domains, even ones that don't want it to—but you could re-use the CORS origin-tracking, and just relax the rules slightly where extension:tab interactions are concerned, while still having rules.)

[iudqnolq]

How would you implement navigating within the page without executing in the context of the page? For example, jump to the next form field requires finding the form fields.

[azinman2]

By having chrome build explicit support for this kind of stuff, and creating an API around it.

It seems plausible for Google to inspect its top 500 extensions, and figure out a set of APIs that support all of those needs without giving unlimited read/write/network/execution access to the extension. Just look at how Safari created their own Adblock API thats faster/more memory efficient without giving away URLs to the part of the extension that has network access. This model should be expanded upon.

[jefftk]

I can't tell whether you're being serious or sarcastic, but in case it's the former Google has proposed doing this (https://blog.chromium.org/search/label/manifest%20v3) and it's been very unpopular here.

(Disclosure: I work for Google, speaking only for myself)

[6510]

Yes, when trying to write extensions I found the access requirements much to generic.

I think the back-end should also be reviewed and hosted by a trusted party.

[6510]

Or make that "reviewable back-end with an option to host it with a trusted party". I also don't mind paying for a review if that improves the quality of the review (for when it is appropriate of course)

[sneak]

Extensions don’t need to auto-update.

[kevingadd]

Sadly they do because security holes or bugs can be found in extensions, and those can affect third-party websites. Project Zero has found many bugs of that sort and getting them patched on users' machines is very important.

If the extensions' permissions are extremely limited the risk profile becomes low, but that makes them far less useful.