Hacker News new | ask | show | jobs
by erikig 2236 days ago
Can "Read and change all your data on the websites you visit"

Chrome extensions that require such extensive permissions make me extremely nervous and I don't think I'm alone. Is there a way to build this in a way that didn't require such elevated privileges?
4 comments
jfoster 2236 days ago
It's been a while since I dabbled in Chrome extensions, but if nothing has changed, then not as a Chrome extension, unfortunately. If you mean theoretically, then of course; Chrome could let extensions subscribe to particular event hooks and whatnot and get very fine-grained about it. I expect that would actually be too fine-grained for most users, but what they have at the moment is a system where installing almost any extension feels quite risky. I'm not sure that Google really want Chrome extensions to exist, though. It feels like a very neglected part of Chrome.
link
prashantb 2236 days ago
On the last part, I agree with you from a developer's point of view as well. The review process is a shambles at the moment. Sometimes the review process can take weeks and one can still get rejected with no explanation. I understand the need for a manual review when an extension asks for powerful permissions like this one does but an approval time of more than a week is a bit much. And every subsequent update to the extension (even a small description change) also goes through the same review process. Imagine a critical bug fix taking more than a week for approval! It feels like they want to shut down their doors for individual developers. In comparison, firefox took only 2 hours to approve the same extension.
link
ajayyy 2236 days ago
Firefox only does manual reviews on "Recommended Extensions"
link
jdc 2236 days ago
I expect that would actually be too fine-grained for most users [...]

Even with that level of detail on the backend, there's no need to expose it all the user by default. That is, you could tell the user about group various related events together (eg. mouse, page load, etc) and power users could also drill-down if they like.

link
jfoster 2236 days ago
Yeah, that would be a good way to do it.
link
ramenmeal 2236 days ago
I don't think there is a "scrollbar usage" permission.
link
jooize 2236 days ago
We need an extension firewall extension!
link
revicon 2236 days ago
One thing I always do is use the Chrome Extension Source Viewer (also an extension)

https://chrome.google.com/webstore/detail/chrome-extension-s...

Which lets me view the source code of any chrome extension right from the chrome store install page, lets me see for myself if the extension is going to try to make any covert external web requests or whatever.

link
jooize 2236 days ago
… in its current state.
link
WilliamEdward 2236 days ago
Just don't update it?
link
tbodt 2236 days ago
You can't avoid Chrome extension updates
link
renewiltord 2236 days ago
Pretty easy if you’re a security concerned software engineer. Clone repo, read the source, and Load Unpacked...

Last time I did this it was easier than typing this comment.

link
dddddaviddddd 2236 days ago
You could inspect the source code and build it yourself (about 300 lines of JavaScript + JQuery): https://github.com/prashantbaid/scrolltrotter
link
mceachen 2236 days ago
The problem with any chrome extension is that there's no guarantee that the git repo matches the bag of bits that you're installing. No-prompt auto-updates exacerbate the issue.

Installation of software will always require a leap of faith that the publisher doesn't have ill intent.

link
chapplap 2236 days ago
You can install the extension directly from a cloned copy of the Github repo (basically as if you were the extension developer). No auto-updates or anything since it's just loaded from some files on your disk. Chrome will nag you about it from time to time though since getting people to install unsigned extensions is a common attack vector.
link
revicon 2236 days ago
Try this: https://chrome.google.com/webstore/detail/chrome-extension-s...

Views the source code straight from the google store

link
mceachen 2236 days ago
Thanks for sharing, but that's yet another publisher I have to trust with "read and change your data on clients2.google.com, read your browsing history, manage your downloads."

It'd be great if chrome and firefox allowed open source chrome extensions to be compared with their git source tree, possibly with diffs between releases.

Still, though, how many people will go through that effort?

link