[invisible]

It's as though nobody realizes extensions can be created or purchased by sketchy actors and that this is a huge security risk when the extensions request "all access to all sites." OK, so when setting up an account's username and password and are provided 2FA codes or recovery codes -- those can all be compromised. How can you know an extension is compromised? It's almost impossible to tell with certainty.

Things like "The Great Suspender" incident get ignored and folks assume no other extensions have the same problems.

[RedShift1]

And what in MV3 solved all of that? It still allows enough to do a lot of damage.

Regardless of that, at some point you have to trust software. You can't expect everyone to read every line of code and compile all the software by themselves.

[invisible]

Yes, I trust plenty of software and I'm not suggesting that extensions are bad in theory. Extensions being able to silently inject code and ownership to change at any time is a pretty bad security model. We can agree that there are _bad_ security models, right?

It's the sum of the parts in changes from manifest V2:

- no arbitrary code injection via executeScript, must be a file now

- no more remote code

- no more arbitrarily getting selected text or highlighted text on a tab

- declarativeNetRequest instead of intercepting requests

- explicit listeners on the page to help detect bad actors (vs just arbitrary JS running on the page)

[linkgoron]

Even ignoring ad blocking - with those rules stuff like Tampermonkey which is totally legit can no longer work with execute script. You also lost a lot of functionality by losing DOM, having to rely on the broken lifetime of a Service Worker instead of persistent background page .

It took Google three to four years to acknowledge that the community is completely correct with its criticisms, and that MV3 is garbage designed by people who have no knowledge on how people write extensions and which abilities they actually use.

They're finally adding features that should have been there years ago. The new scripting API which brings back arbitrary scripts, in a new form, the offscreen documents API, and hopefully they'll eventually implement limited event pages which are somewhat solving the background page lifetime and DOM issues (which are already implemented by Mozilla and Safari I believe). Obviously, everything was decided hastily in the last second so all of the features are supposed to be completed by "around" October 2022, just two months before the original MV2 cutoff.

I've also read some of the extension working group transcripts, it's pretty sad how Google/Chrome has no accountability and almost zero transparency.

[Barrin92]

>actors and that this is a huge security risk when the extensions request "all access to all sites."

sure but that's my choice, that's why it's an extension. Paternalism of telling me what to do with my browser is silly merely because something is potentially dangerous. The entire internet is potentially dangerous. Clicking on a link or installing a piece of software is dangerous.

You're an adult, make responsible choices about whose extension to install instead of demanding that Google strangle you with security policies which at the end of the day serves only one purpose which is to extend their control over the user experience.

[invisible]

These are a bunch of straw man arguments against what I said. There is a difference between clicking a link and an extension being able to read the contents of pages you visit -- like your bank records or credentials.

Some of these "choices" aren't actually _made_ by anyone. Even with trust of an author, if remote code is being used and a domain or server is hijacked, then the remote code could be replaced. It's a lose-lose problem for Google and not addressing this problem means worse security for casual users. The boogeyman that they will remove useful extensions is antithetical to their behavior so far.

[Barrin92]

if (casual) users is what Google was concerned about that'd be easy to solve. They could ship a full ad-blocker with Chrome that renders third party extensions obsolete and there'd likely be no v3 debate, because those are the extensions primarily impacted by the design choices made.

The entire debate we're having rests on the fact that they're not integrating this functionality (despite this being technically trivial) because it's in conflict with their entire business model. Which is the only reason people have to reach for third party extensions in the first place.