[azinman2]

By having chrome build explicit support for this kind of stuff, and creating an API around it.

It seems plausible for Google to inspect its top 500 extensions, and figure out a set of APIs that support all of those needs without giving unlimited read/write/network/execution access to the extension. Just look at how Safari created their own Adblock API thats faster/more memory efficient without giving away URLs to the part of the extension that has network access. This model should be expanded upon.

[jefftk]

I can't tell whether you're being serious or sarcastic, but in case it's the former Google has proposed doing this (https://blog.chromium.org/search/label/manifest%20v3) and it's been very unpopular here.

(Disclosure: I work for Google, speaking only for myself)

[tyingq]

It was unpopular because it didn't examine ad blockers and provide apis that allowed them the functionality they have in a safer way.

It instead proposed a very hobbled alternative.

[azinman2]

I'm being serious. It's been a long time since I've developed a Chrome extension so I don't follow them, but it seems to be me that is a good start but there are many areas where Chrome (and other browsers) could go even more fine-grained.

I'm not sure why it's unpopular here (perhaps its implementation vs concept?), but it seems to me that with the realities of malware constantly being distributed through extensions in addition to the obvious privacy issues, that many reasonable people would wish to see this evolution.

Personally I use almost zero browser extensions because of these issues.

[jefftk]

It's come up here several times, for example: https://news.ycombinator.com/item?id=20050173

[TeMPOraL]

In a nutshell, it's unpopular because it neuters adblockers, and Google doesn't have the reputation of a benevolent actor anymore.

[azinman2]

So if that’s true, then they’re not doing as I suggested: take a fine-grained approach to the top 500 extensions (including adblocking) to make it possible to create them without having full read/write dom + networking. I believe the content blocking APIs in Safari are a great start and could be taken so much further.

[TeMPOraL]

This might work if Google didn't have ulterior motives here, but would still amount to neutering the browser as a general-purpose computing platform.

[azinman2]

Not at all! Webpages can still do as they like. That’s general purpose!

We’re talking about extensions distributed on a store that often end up with malware. I’m not even necessarily advocating for them to remove the ability to anything they wish (yet)... but let the browser catch up to already do what these extensions want in a more secure way. What’s wrong with that?