[andyrichardson]

I want to share my opinion on this as it's something that I've spent a lot of time thinking and talking to the Chrome Web Store team about.

The very core of the issue here is less about the manual review process (although that sucks) and more about how the review process is necessary due to how extension permissions work in browsers to-date. The current process works similar to how Android and IOS permissions worked back in the day by requiring the user to grant all permissions up front (equivalent to giving an extension sudo permission to your browser).

The feedback you'll most likely get from Google on this isue is that the solution to this is to narrow down what URLs your extension works on... but that comes with a pretty big assumption that an extension can declare that information up front. Many extensions (including developer tooling) don't need to run on EVERY page - they need to run on specific pages where some extension-specific code is running (this is the case with Urql, Preact, React, Rexux devtools). Narrowing down by URL just isn't possible and an ad-hoc solution where extension-specific code on the webpage can trigger permission requests (similar to how a website requests access to your camera) is needed.

I've written up a proposal for this case which I think addresses 90% of use cases where "sudo permissions" are being requested up front and in reality, could be requested on an ad-hoc basis. Whether it's an agreement or some criticism, anyone who is able to get involved in this discussion - please do! Every other platform is using ad-hoc permissions and we need to push for the same with browser extensions.

Here's the proposal: https://groups.google.com/a/chromium.org/forum/#!topic/chrom...

Here's my rant on Twitter about this problem (see retweeted comment): https://twitter.com/andyrichardsonn/status/12529205656960040...