[rektide]

> Note, because of technical reasons (content security policies) some sites (e.g. Twitter, Airbnb) will add to Electric Tables, but in a new tab instead of using a pop-up and it won’t grab much additional data..

so so so frustrating. extensions getting whacked into irrelevance by CSP is such a vulgar sick security misfeature. what a repulsive era of oversecuritization we've FUD'ed ourselves into. the only voices at the table are those hungry to lock down & deny power to users; technical authoritarianism without check.

the only workaround i can see is abandoning extensions & making devtools the new way we extend user-agency. the browsers, the standards folks are killing regular user-agency. they are forcing us to climb down to a lower security ring.

wonderful world changing extensions like Hypothesis are also broken on sites like twitter and airbnb. making the web read only, removing all user agency, is so not ok. projects like Electric Table show hints of the better web that many long hoped was to come, that has slowly been emerging. but this potential is being cut off, in the most critical areas. somethings got to give. we cant floruish, cant survive a corporate controlled web.

[btown]

It seems the reason this is being bonked by CSP is that it's not a browser extension, but rather a bookmarklet, and it's bookmarklets that are being whacked by CSP. And it's sad, because bookmarklets were even more in the ethos of zero-install than extensions are - but that's a double edged sword if malicious actors use it on unwitting customers.

Where extensions are actually getting whacked beyond what is necessary for security, though, is Chrome's Manifest V3, which is tightly cutting down on the ability of extensions to eval code, run background tasks, and run custom logic to intercept web requests. Anti-ad-blocking considerations are creating massive conflicts of interest here, straight to the point of the last paragraph in the parent. It's not a good direction for the open web.

See: https://www.eff.org/deeplinks/2021/12/googles-manifest-v3-st...

[rektide]

Many thanks for the post. My apologies for getting this wrong! It does make more sense that bookmarklets would not have the privilege necessary. It'd be nice to give them an escape hatch, a way to escalate: `javascript+user:alert(1+1);` But this ultimately feels a lot less pernicious & more understandable (as an oversight) than I'd made things out to be.

I think you've got the eye on the ball here, on where the really important issues are shaking down. Diving back into smaller-grained topics, I find it interesting how much focus the web request interception has gotten versus so many other topics of the Web Extensions clamp-down happening. I couldn't find any discussion of the removal of eval/dynamic code, for example (daggers of irony: the same rule Apple uses to forbid v8 on iOS), & opened what I believe is the first issue against that. https://github.com/w3c/webextensions/issues/139 . The background tasks discussion is another important one: extensions no longer having most of the web platform accessible to them would be extremely limiting. Discussion here is active (if not totally hope inspiring), with proposals such as "Limited Event Pages" https://github.com/w3c/webextensions/issues/134 trying to move things into the right direction.

[topcat31]

I'm not entirely sure that Electric Tables is quite so grandiose as all that but I appreciate the sentiment!

As for CSP - I'm not technical enough to really understand why it needs to exist or how it might be re-architected but as a hobby coder I love it when things are extensible / hackable and CSP seems to be a pain in the ass!

[gardenfelder]

Indeed. This project feels worthy of exploration, and collaboration. There's an AirTable clone https://github.com/nocodb/nocodb; makes me wonder how the two projects can be federated. Happy to talk about that.

[pronoiac]

Psst, put a space between the url and punctuation, like semicolons, after it

[Rygian]

> era of oversecuritization we've FUD'ed ourselves into

Are you referring to the OWASP living proof that sites are built insecurely? I strongly disagree with your characterization of the state of web security. We need a lot more, and we didn't get where we are through FUD but through actual exploits and billions in losses and frauds.