[ultimoo]

This is clearly a useful product that solves real problems, but I'm here to comment on browser extensions as a whole. Personally, I find the notion of running 3rd party code with internet access that can see the entire DOM of any website a little scary. Do others on HN routinely use random browser extensions (e.g. okta, grammarly, etc.)? Is there a different way to think about browser extensions that frames it in a more appetizing way?

[gruez]

>Personally, I find the notion of running 3rd party code with internet access that can see the entire DOM of any website a little scary.

chrome now allows you to allow access to pages on an opt-in basis (ie. you have to click the button for the extension to get access to the page).

see: https://support.google.com/chrome_webstore/answer/2664769

[db65edfc7996]

That's a hugely beneficial change! I too have avoided extensions because of the essentially complete trust required to accept that some code is good and will not be hijacked in the future.

Now when will Firefox implement the same idea?

[Carrieroberts]

That's a really good point and something we should be talking about as a tech community. For our extension, it's "active" if you're on a retailer page we support and not active when you're elsewhere on the web. The extension overlays information onto the product page which is why we need to be "active" - we give a food score + show you whether it's compliant with your dietary needs (this one is a paid feature so needs to be unlocked). Doing this allows us to remove the friction around needing to "click" to get the relevant info so our lens is it makes shopping easier, but maybe we're missing something important about privacy. Will you share a bit more about the concerns you'd have with us being able to see your shopping on AmazonFresh for example? To answer your question - I routinely use a few extensions (Honey, Dashlane, and, of course, Sift) but I do find that I'm more selective about Browser Extensions installs than Mobile App installs.

[vinkelhake]

Yeah, I wish browsers would display a huge blinking warning when a user installs an extension that wants DOM access on any webpage. People should be extremely wary about these types of extensions.

I don't really care what kind of "guarantees" Sift would give me today on how they will use the power that users bestow upon them. Who knows what will happen if money gets tight, or a bean counter comes along and wonders why that particular revenue stream hasn't been squeezed.

[dylan604]

I have the same feelings toward extensions as well. The same applies to mobile apps as well. I see people install extension/apps willy nilly just to try them out or for the lulz. For me to install, there must be a need being served that is worth the risk. Trusted adblockers qualify. That's pretty much all of the browser extensions I'm willing to risk.

[_greim_]

> Is there a different way to think about browser extensions that frames it in a more appetizing way?

I like the idea of selecting things and choosing from a set of actions which I've installed. These would be opt-in, and only have "read" access to whatever content I've highlighted, and have zero "write" access. This would be enforced as a security requirement by the host environment (browser). For example selecting a product image/title/upc and choosing "analyze food ingredients" or something. The precedent in Chrome would be selecting text and choosing "Search Google for <text>".

[ultimoo]

Opting in sounds like the better pattern here. I would also appreciate if I could opt-in giving the extension network access instead of extensions getting it by default.

[btdmaster]

uBlock Origin elegantly presents why fewer permissions does not necessarily mean an extension is more trustworthy: https://github.com/gorhill/uBlock/wiki/Can-you-trust-uBlock-.... To me, free software and monetization are the primary criteria in deciding whether an extension is malicious or not.