[RHSeeger]

> All of that attention resulted in our issue being resolved. This is good for us. It is not yet clear if the attention will help other developers that are struggling with similar vague rejections.

I think it's been made abundantly clear that Google will not, in fact, improve anything from experiences like this. They happen over and over and every single time it's the same; if it gets publicity, someone helps resolve it; but nothing ever improves in the way of communication.

[archon810]

Have a look at this https://twitter.com/ArtemR/status/1261159338170658816 and the surrounding discussion.

This is basically the only person at Google who can make things happen if there's a problem with Chrome extensions.

[on_and_off]

If it works the same way as the play store does, the DA has little to do with that.

A play store advocate can not look up why your app got rejected, they can at most ask their play store colleagues to look it up and to contact the app owner.

It is this way to avoid getting in a situation where being friends with a DA is an huge advantage.

Their job is to collect dev feedback, as well as evangelizing good practices.

And granted, both teams could do a better job at pinpointing the issues (and devs might also try harder to follow the rules .. fwiw play store bans threads have just been banned from r/androiddev because devs had a tendency to forget to talk about the legitimate reason why they got kicked out)

[kinlan]

As the lead of that Devrel team, this is pretty much spot on. The process for these things is out of our hands (prevents abuse etc). There is a lot of things we can improve about the Chrome Web Store processes, not to mention a lot of other areas across Chrome.

[archon810]

And yet this single DA is the one who's able to request an appeal with undoubtedly more weight than the developer.

https://twitter.com/DotProto/status/1261325118774493190

[Guzba]

This was low-key shocking to learn. What if this all happened while he was on vacation?

[woofie11]

And he says with current events, meaning a massive number of recently-laid-off-developers Google could have cheap, things will continue to move slowly.

[robk]

Or the pm whoever that is now

[wpietri]

It seems like there are two ways to handle an exceptional condition. One is to say, "Gosh, this is bad! We'll fix it and move on!" And the other is to say, "This is bad, and it's telling us something about the system we've built. So let's fix it for this person, then find the systemic flaw and fix it so we stop doing this in the future."

Sadly, a lot of companies will look at a PR problem and do just enough to make their pain go away, without ever saying, "Wait, are their people we should care about besides ourselves?" It's disappointing.

[criddell]

App and extension developers should organize into a trade group and collectively bargain with the companies running app stores.

[rapind]

The end result being a far less permissive extension. The permissions they required were insane but our entire focus is on Google's customer service.

Now that we all agree that Google's process sucks, can we talk about how insane it is to even have this level or permissions available for request in the first place?

[oefrha]

It’s not insane to have a

  *://*/*

permission, since things like generic content blockers have to be able to modify any page (you definitely need to take great care when installing these extensions, which unfortunately most users aren’t equipped to assess, which is why extension security is such a headache and stringent review is welcome).

On the other hand, this particular extension requesting this access just because they weren’t told not to is more of a wtf.

[csours]

It might be difficult to impossible to currently implement, but perhaps if you have access to :///* you should lose access to pretty much every other permission.

[oefrha]

That’s not how permissions work in Chrome extensions. You pretty much can’t do anything with the URL matching permission alone, however broad your pattern (including <all_urls>).

Take a look at

https://developer.chrome.com/apps/declare_permissions

https://developer.chrome.com/extensions/api_index

Edit: I should mention that content script permissions declaration works differently: https://developer.chrome.com/extensions/content_scripts

[iudqnolq]

That wouldn't help much. For example, with read/write access to your banking website a malicious extension could inject a script tag that exfiltrated data to their server.

[csours]

I know, that's why I say it's difficult to impossible to implement at the current time. I do think it is an interesting goal.

[rapind]

I think it's better to implement content blocking outside of the browser (especially considering it's not in the interest of the most popular browser's backing company) and eliminate these types of permissions completely! I.e. Wireguard + DNS adblocker (or w/e you want to block). Not only does it perform better but you aren't leaking data to third-parties, who even if they are noble could be acquired by a less noble entity down the road.

[oefrha]

DNS filtering is a very crude form of content blocking. It’s a supplement, not a replacement. Have a look at uMatrix for an example of heavy machinery. See also CSS-based blockers like Shut Up (or mixed blockers like ABP that include CSS-based rules), which are completely impossible on the network layer.

Also, content blocking is just one example. There are other legit use cases of the all sites permission: Tampermonkey, Stylus, password managers, any kind of web clipper, trivial things like Don’t Fuck with Paste, auto refresh, user agent switcher, etc. The list is endless.

[tyingq]

It's not unlike malware analysis. Heuristics make it better, and you need to be in the DOM for that. There's also handy things like "right click to block".

[csours]

Google owns that side of it too. If Google thinks you are over-reaching in your access to permissions, they can simply choose not to provide access to the resources behind those permissions.

[burtonator]

If this happens to our extension, my plan is to have our team, along with our users, to protest outside of Google and to invite the local media.

They simply DO NOT CARE unless they're embarrassed.

My theory is that the AI has taken over and that there aren't any more humans at Google.

[craftinator]

Google has effectively crowdsourced both developer support/restitution and extension filtering for chrome.

Instead of paying people to answer emails for developer support, they pay a small number of people to monitor social media sites for complaints that reach some threshold of outrage/publicity.

Way less hassle to let the public solve their problems.