[SilverRed]

The whole idea of extensions is fundamentally broken. You are letting an unknown person who you have no way to trust or hold accountable access all of your web data.

It can't be fixed without crippling the system. You can't sandbox permissions because the most basic and useful tools require full access to every website.

The only way I can think of is having all extension developers required to have their identity verified and from a country that follows some common law so that google can take legal action against malware developers.

[mjevans]

JavaScript served by the sites; exact same issue.

I shouldn't be forced to run someone else's code to look at a publication. That's the entire point behind using something as ugly as XML (or it's simplified child, HTML) to begin with: this is supposed to be a document markup language. A method of annotating what an author would _like_ to have happen when rendering the data.

I seriously loath the fetish of creating pixel perfect displays which treat the end user as an actively hostile element; a passive consumer, rather than someone empowered to use the data for their own enlightenment in the manor their preferences prefer. (Font size, screen reader, dark / light mode, etc)

[daveoc64]

> JavaScript served by the sites; exact same issue.

It's not really the same issue.

If you are visiting a site that uses its own JavaScript, you can probably assume that if it's run by someone trustworthy, the script isn't going to try stealing your passwords or credit card number. There shouldn't be any reason for the web page to have access to anything that you're not providing it with anyway.

A browser extension (like an ad blocker) can access the content on every page you visit. That could be your bank, email account, social media - anything. If you have a malicious browser extension, it can see everything you do.