[oefrha]

It’s not insane to have a

  *://*/*

permission, since things like generic content blockers have to be able to modify any page (you definitely need to take great care when installing these extensions, which unfortunately most users aren’t equipped to assess, which is why extension security is such a headache and stringent review is welcome).

On the other hand, this particular extension requesting this access just because they weren’t told not to is more of a wtf.

[csours]

It might be difficult to impossible to currently implement, but perhaps if you have access to :///* you should lose access to pretty much every other permission.

[oefrha]

That’s not how permissions work in Chrome extensions. You pretty much can’t do anything with the URL matching permission alone, however broad your pattern (including <all_urls>).

Take a look at

https://developer.chrome.com/apps/declare_permissions

https://developer.chrome.com/extensions/api_index

Edit: I should mention that content script permissions declaration works differently: https://developer.chrome.com/extensions/content_scripts

[iudqnolq]

That wouldn't help much. For example, with read/write access to your banking website a malicious extension could inject a script tag that exfiltrated data to their server.

[csours]

I know, that's why I say it's difficult to impossible to implement at the current time. I do think it is an interesting goal.

[rapind]

I think it's better to implement content blocking outside of the browser (especially considering it's not in the interest of the most popular browser's backing company) and eliminate these types of permissions completely! I.e. Wireguard + DNS adblocker (or w/e you want to block). Not only does it perform better but you aren't leaking data to third-parties, who even if they are noble could be acquired by a less noble entity down the road.

[oefrha]

DNS filtering is a very crude form of content blocking. It’s a supplement, not a replacement. Have a look at uMatrix for an example of heavy machinery. See also CSS-based blockers like Shut Up (or mixed blockers like ABP that include CSS-based rules), which are completely impossible on the network layer.

Also, content blocking is just one example. There are other legit use cases of the all sites permission: Tampermonkey, Stylus, password managers, any kind of web clipper, trivial things like Don’t Fuck with Paste, auto refresh, user agent switcher, etc. The list is endless.

[tyingq]

It's not unlike malware analysis. Heuristics make it better, and you need to be in the DOM for that. There's also handy things like "right click to block".