[_fat_santa]

You know this wouldn't be so much of an issue if Chrome didn't disable the ability to install extensions outside of the web store.

As an extension developer its absolutely infuriating to realize that:

1. There is no way to install extensions outside the web store

2. Google won't approve anything to the web store.

3. The vast majority of people use Chrome vs other browsers.

------

I get it, Chrome is Google's browser and they can do what they please with it. However Chromium is open source and it's still impossible to do so.

Like thanks Google. I spent months developing an extension only to realize that as it stands today for the majority of developers, the chrome web store is closed for new submissions.

And Google didn't even have the courtesy of telling us it's essentially closed, they just string us along with "pending reviews" (for context I've been trying to get my extension approved since February).

[ocdtrekkie]

It's worth noting that the Chrome Web Store is currently full of malware and most malware I see on PCs was installed via the Chrome Web Store. By design, HTTPS does not protect your privacy at all if you have extensions that violate it, since they see what you see after TLS termination.

So this is a huge deal, Google is already bad at it, but I can't fault them for heavily restricting extension install: Currently they are way too lax.

[danShumway]

This is still something of a problem of Chrome's own creation though.

The reason Chrome can't be much, much more restrictive about what extensions get placed in the store is because there is no alternative. The less important your store is, the more exclusive (and safer) it can be.

Look at Linux with package managers like AUR. If a package isn't included in the official Arch repos, I generally don't mind. I can go install it if I've vetted it myself. What that means is that Arch can be a lot more restrictive about what they include. They don't really need to provide a bunch of justifications, they can just say they had a bad feeling or haven't gotten around to looking at it.

If the goal is to have safe spaces where users can be certain that they won't ever run into malware, the space maintainers need the freedom to be very restrictive. Google doesn't have that freedom with the Chrome Web Store specifically because getting banned from the Chrome Web Store is a massive deal -- they can't just decide to prioritize safety over everything else.

Small, optional safe spaces that people can opt into will always be better filtered, better moderated, and overall safer than a giant space that's forced to balance between freedom and safety for every single user at the same time. Moderation doesn't scale.

[AgentME]

I don't think their priority is making a specific area where users are free from malware; they're trying to make it hard for malware overall to integrate with Chrome. Adding a supported path for software to integrate with Chrome (allowing extensions not through the store) where they can't block malware would be giving up on that goal.

[danShumway]

> they're trying to make it hard for malware overall to integrate with Chrome

That's a reasonable argument, and you're probably right about their motivations. But I'm not convinced that's a realistic goal, because the definition of malware/spyware changes depending on the context/user.

The big reason moderation doesn't scale is because you're forced to balance everybody's needs at the same time -- you can't optimize for any particular user. If the end-consequence of an exclusive web store is that it's much harder for the Chrome team to ban shifty apps without everyone on Twitter asking for a bullet-pointed list explaining why, then the Chrome team isn't really making the world that much safer.

In general, I would advocate that it's better to try and build safe spaces rather than safe worlds. That's kind of a pragmatic philosophy: I'm having a hard time thinking of an existing safe world that I think runs well. All of the major app stores (including Apple's) have malware problems to at least a certain degree. Most giant social networks are not doing a good job of moderating content. Package managers for languages like Node and Ruby are running into the same issues.

Maybe the web itself? But the web doesn't get its safety from moderation, it gets its safety because of sandboxing.

If I'm thinking purely as a consumer, what I really want is an extension store where I know 100% that everything on it is fine. I don't want to have to think or read reviews or look up the author before I install an extension. I want it to be clear when I'm being safe and when I'm doing something dangerous. I suspect that's what a lot of consumers want, and I just don't see any realistic path for Chrome to provide that with their current strategy.

I get that "somebody might choose to leave the safe space and install malware anyway" feels bad, but if the consequence of avoiding that is, "everybody gets kind of substandard protection all the time", maybe it's worth questioning whether Chrome's malware goals are worth pursuing in the first place.

[woofie11]

You're confusing two things:

  laxness <--> strictness scale

  carefulness/competence <--> carelessness / incompetence scale

Google tries to do this with automated processes and minimum wage drones, which results in both million dollar extensions being bump AND widespread malware being let through.

[thephyber]

> Google tries to do this with automated processes and minimum wage drones

Do you have an alternative suggestion for how they could do it better?

[ncallaway]

Yes, but it involves spending more money.

[x0x0]

Not necessarily?

Eg you could sell developer support at $10k/annum with a 3h SLA for escalation to a senior eng. Serious companies with business that rely on chrome plugins would purchase in a second.

[miohtama]

$1000 yearly subscription for the store membership for human curated content.

[xnyan]

Apple can do it for $99 a year (plus thirty percent of course). Their system is by no means perfect, but there absolutely is less bullshit malware on their market vs google chrome.

[kelnos]

I think the parent meant that the Chrome user would pay $1k/year for human-curated extensions.

[the_gipsy]

So it's the usual: make it available unrestricted on launch so that idiots build on your platform, look how many apps/extension we have. Once the market is captured, sorry is closed now, for we must protect our users.

[creato]

Even if that's how it ended up, I doubt that was the plan. I think a lot of Google products, especially those from 10+ years ago, start out built for people like themselves: highly tech literate software engineers. As long as that is true enough, extensions are great and useful, and the users are mostly skeptical/aware enough to avoid installing malware. Now the average chrome user is the same person that filled their IE browser window with banzai buddy toolbars.

[the_gipsy]

It never is the plan, I would say. Great products like chrome are made by people that are driven by the idea of making a great product, for the user. But after that is proven, given some time, the shareholders take over and priorities shift.

[ohyeshedid]

It also doesn't help that dodgy folks started buying trusted extensions. One update of a trusted extension and you're just as bad off as installing a dodgy one in the first place.

[ehsankia]

You do realize that the original Pushbullet issue arose from Google trying to be even more strict and reduce the amount of malware, right? And even with all that, as you mention, CWS is still full of malware.

What hope does any other store then have to create a malware free web store if even Google can't? And if they allow installation from anywhere, do you realize that whatever state we are in now, it would be orders of magnitude worse?

If there is some way to get malware into your computer, someone out there will make you do it. That's exactly why installing extensions is so locked down. I don't understand how people think that it will magically all be better if users were given full access to install whatever from wherever. Have you never in your life interacted with an average non-poweruser?

[zmmmmm]

> What hope does any other store then have to create a malware free web store if even Google can't?

I think you're giving Google too much credit here. For years nearly every single extension, no matter how targeted the purpose, has told me "This extension will have access to all your data on all your web pages". It is such a no brainer to do a little better than that but they tolerated it for years.

In a few cases I looked into why developers requested that kind of permissions and the answer was that Chrome permissions weren't designed well enough to allow narrower permissions. So Google has no excuses here. They control the browser and the store.

[ehsankia]

Just because they had a more lax approach in the past doesn't mean they aren't working hard to regain control now. And either way, none of that addresses the issue where expanding control would only make the malware issue worse, not better.

[graham_paul]

Maybe just maybe, you will consider Firefox.

1. Same or better performance

2. Open source for real not just (pretending to be) Open Source

3. More transparent process

4. No business conflicts

Support Firefox if you care about the open web

[wintermutestwin]

I use firefox as my primary browser, but I have recently ran into issues with several sites that I need to use. Whenever I contact support, they tell me their site requires Chrome.

As it is, I have a Winblows box for gaming only that I put Chrome on, but one day, I am going to be remote and needing Chrome. I don't want google's tentacles on my work laptop, but am starting to worry that I have no choice...

[driverdan]

Which sites? Name and shame.

If you absolutely must use Chromium you can use Brave instead. It doesn't solve the extensions issue discussed here but at least it cuts out most of the Google garbage.

[dblohm7]

> Which sites? Name and shame.

Or even better, report them to https://webcompat.com

[michaelmrose]

Netflix limits video quality on Firefox although you can trick it with an extension. Then there is the fact that hardware accelerated decoding for Linux/X11 hasn't hit yet.

https://bugzilla.mozilla.org/show_bug.cgi?id=1619523

Anyway one valid solution is to add one or more app shortcuts that effectively run chrome/chromium --app=url and collectively treat these chrome specific apps as such. Instead of opening a new tab just click the icon on your bar.

This doesn't quite handle for example links however one could use https://addons.mozilla.org/en-US/firefox/addon/open-in-chrom... to click on links and send them to chrome for known problematic sites.

This is still way better than in the early firefox/IE days.

[Mindwipe]

Netflix limits video quality on Netflix and Chrome to 720p in the same way (except for ChromeOS), so I'm not sure that really fits your argument.

[Wowfunhappy]

Not the GP, but here's some:

• Slack, for audio/video calls

• Microsoft Teams, for audio calls (the video portion technically works if you fake the user agent)

• Skype for Web, for audio/video calls (although it occasionally decides to work if you fake the user agent, it usually breaks)

Slack is a problem for me. I have to boot up a VM when someone wants to call me on Slack.

[fouc]

If it's a linux VM it could boot up quite fast right?

[g4k]

The Shopify admin panel stopped working in Firefox a few weeks ago.

[wintermutestwin]

I don't remember them all, but coveredca is one.

I thought Brave was yet another scammy project that was showing ads (albeit selectively)

[bsder]

Definitely shame coveredca since that is a public service website.

Put that one out to some local media, social media, etc.

[simcop2387]

I haven't tried it with that site, but I generally find that chromium + changed useragent usually gets passed most checks like that.

[int_19h]

Ironic. Back in the days when IE was king, we thought that all that's needed for a truly open web is open standards. Now Google has demonstrated how you can have open standards, but still create and maintain a monoculture around them, simply by evolving them so fast that any competition can't keep up.

[aasasd]

You can use the Ungoogled Chromium builds, which also remove the remaining creepy misfeatures that Chromium has: https://ungoogled-software.github.io/ungoogled-chromium-bina...

The builds themselves may potentially be insecure, but they're rather popular among the security-conscious target audience, so I hope someone would notice if they go bad.

[johncalvinyoung]

Sadly, there's some uber-cool advanced web platform stuff that's only supported or only supported well on Chrome.

[dblohm7]

Web devs should not be using that stuff until it has broader support.

[imhoguy]

There is always ungoogled-chromium which runs many of these add-ons, https://ungoogled-software.github.io/ungoogled-chromium-wiki...

[sixothree]

Edge dev uses chrome under the hood and you don't sell your soul to google.... Just to MS.

[gowld]

Does Firefox have the useful extensions that Chrome has? Are they as safe or safer?

[40four]

Of course! I don’t use extensions, but I’m sure most of the big players you’d expect from chrome have a Firefox version as well. Here is uBlock Origin https://addons.mozilla.org/en-US/firefox/addon/ublock-origin...

Apparently Mozilla vets add-ons with their ‘Recommended Extensions program’, not sure how you get an extension into that program though.

Here is Pushbullet for Firefox! https://addons.mozilla.org/en-US/firefox/addon/pushbullet/

[m463]

chrome purposefully breaks some privacy oriented extensions.

[gnicholas]

At least it’s possible to side load extensions in Chrome. I’ve been more disappointed in Firefox, which doesn’t allow this at all, even in the developer release. The only thing similar to side loading that is allowed is a temporary debug process, which loads an addon but only until the browser is restarted.

[coffeefirst]

You can! It's far more annoying, but I've been running a few that I've made for myself

In `about:config`, set `xpinstall.signatures.required` to false, and then you can an unsigned bundled extension locally and they'll persist like normal extensions.

[tacotime]

If this is not in the MDN refs anywhere yet, it really should be. I’ve been battling with web-ext for a week now after something mysterious broke that I’ve not yet been able to fix. I’m so glad you posted!

[gnicholas]

It looks like that doesn’t work in the regular version of Firefox – only Nightly, Developer, or one of the unbranded versions. Is that true in your experience?

[fireattack]

You're correct, this doesn't work on stable or beta releases.

[coffeefirst]

Yes, I forgot about this but I'm using the Developer version as my main browser because of that.

[riedel]

There is an unbranded build of Firefox that allows this even provided by Mozilla.

[riedel]

https://wiki.mozilla.org/Add-ons/Extension_Signing#Unbranded...

[jeroenhd]

This was made particularly clear to me when I tried to install AdNauseam [1] on Chrome. Google removed the extension from their web store (imagine doing something the user wants, like messing with Google ads, terrible!) so you have to sideload it via the developer options. Now I get a popup every time I open Chrome telling me that there's a dangerous extension with a single click uninstall button.

Firefox has its issues (the signing requirements because of malware and invasive antivirus companies suck but I can understand why they exist) but their addons aren't discriminated against. There's addons listing porn sites on there, something for which Google would remove the extension on sight, there's addons that mess with Google and their ads, and the list goes on. The browser is no longer independent from Mozilla, but it still remains much more free than Chrome.

[1]: https://adnauseam.io/, it's an addon that clicks every ad while still hiding them to fight back against advertisements and break the profile ad companies construct around your interests.

[asquabventured]

On chrome you can actually create your own signing key, and then self sign the unpacked extension directory using your key. To remove the pop-up you then need to set up a group policy (on Windows) to trust your self signed extensions. End result is this popup doesn't come up at launch.

I think this is so hidden (and not really documented well) as a "fix" that must have been added for companies that use their own internal extensions that don't publish them on the web store.

If you can't figure it out from that description I can try to publish a step-by-step on how to accomplish this

[7ewis]

Funnily enough, I was actually trying to figure this out today.

I created a very basic Extension, to modify the new tab page (as it's something you can't set in G Suite the way we'd like it).

I wanted to deploy it our G Suite users, and saw there was an option to deploy via a URL. So I packaged it up in Chrome, put the .crx in an public S3 bucket and set it to force install.

Unfortunately it did nothing... is this not possible? Why is it even an option? Eventually ended up paying for a developer account and submitting it for approval (which was actually super fast).

[dotproto]

Self-hosting is def an option. Check out "Managing Extensions in Your Enterprise" https://support.google.com/chrome/a/answer/9296680?hl=en. That's probably the single best resource for hosting your own extensions and installing them on managed devices.

[oefrha]

You certainly can with G Suite-managed accounts. https://support.google.com/chrome/a/answer/6306504?hl=en

Edit: You seem to say this did nothing for you? Well, good luck troubleshooting.

[7ewis]

Yeah, pointed it to the crx, set it to force install and nothing happens.

If I install the crx locally it works fine. No way of seeing any logs to troubleshoot, pinged a message to our reseller but that method is looking like a dead end.

[dotproto]

You may be able to reach out to the Chrome Enterprise Browser Support team for assistance. https://support.google.com/chrome/a/answer/4594885?hl=en

[renewiltord]

You can’t have your users “Load Unpacked...”? That always works for me.

[7ewis]

For testing sure, but this needs to go to just over 1000 people.

The only example I can find online on deploying via URL is this:

https://support.securly.com/hc/en-us/articles/360036540753-H...

Can't see many official docs on it at all.

Now I've gone the Developer route I can see you can create internal apps without having to get them approved so think that's my best option now.

[dotproto]

This white paper may help https://support.google.com/chrome/a/answer/9296680?hl=en

At some point I want to put together a simple Node.js server and ExtensionSettings policy to demo a basic working setup, but unfortunately that's back-of-the-bus level backseat at the moment.

https://cloud.google.com/docs/chrome-enterprise/policies/?po...

[compuguy]

You have to get it signed and deployed as a internal app first.

[aasasd]

> However Chromium is open source and it's still impossible to do so.

I don't know if it's true that the official Chromium or Chrome don't allow sideloading at all—but the rather popular ‘Ungoogled Chromium’ build certainly does (in fact, it probably still doesn't work with the web store directly): https://ungoogled-software.github.io/ungoogled-chromium-bina...

However, the security of these builds may be questionable.

[Avamander]

You can absolutely load unpacked extensions on Chrome, it's just not as convenient.

[ajayyy]

Previously, you could load self-signed crx files as well. This doesn't require developer mode.

This was removed around a year ago.

[fireattack]

> There is no way to install extensions outside the web store

> The vast majority of people use Chrome vs other browsers.

Can you even do it with Firefox any more?

[skykooler]

Yes, you can do so through the about:debugging page.

[fireattack]

But you can do the same for Chrome in Developer Mode. What's the difference?

[kelnos]

Unsigned extensions only work on Firefox Nightly and Developer, not Stable or Beta, regardless of what you set in about:config.

[servercobra]

Is it closed to all types of new extensions? Or just certain kinds requiring certain permissions or in certain groups? I hadn't heard about this.

[dmix]

You can still install them on Chrome by downloading a directory and loading it via the extensions page (you have to keep the directory around though).

Firefox allows you to install .xpi packages directly, just by opening the xpi and clicking "install", after enabling the option to do so in about:debugging (unless you use a development version of Firefox then it's automatically supported). No directory/zips extraction required.

[aboodman]

I think it's just closed for new submissions of apps, right? I hadn't heard anything about extensions.

[dotproto]

Correct, apps are depreciated and you can still upload new extensions.

[tw04]

Switch to edge? You can install extensions from outside of the store.

[dotproto]

What's your extension ID?

[jmhyer123]

edit: nvm