|
|
|
|
|
|
by rob-olmos
2140 days ago
|
|
|
Agreed. Like with Pocket's Chrome extension permission model[1] that has a "read everything on all websites", when really it only needs brief access to the URL when I want to save something. I tried changing the "Site access" setting to "On click" -- but then the extension started acting funny or not working in some cases. Chrome has added a more limited "activeTab" permission[2], but even that might be too much since it grants control to the tab and continues to allow permission on the same origin. Like the GP said, even if the extension developer isn't trying to exfiltrate data, they should do more to protect users from a compromise of their extension, and browsers should give them the models to do so. IMO, good security models can be a foundation forward to better overall security compared to desktop apps since it seems that browsers are becoming an OS of their own. 1: https://help.getpocket.com/article/912-what-permissions-does... 2: https://developer.chrome.com/extensions/activeTab |
|
|