[strken]

As a user it's not that helpful when extensions which inject stuff into the page (lots of them) all say they can access your history and browsing data. Even though it's actually true, it feels like a gap in the permissions model.

[techdragon]

The problem is the gap is a mile wide. If you can see the current page url, you can see the next page URL and thus one page at a time you have the users browsing “history” from the moment they installed the extension, if you can run arbitrary JavaScript then you can check the back URL, you could potentially add some scope related restrictions to what injected JavaScript can do based on the permissions of the injecting extension but that still doesn’t stop the sort of “one page at a time discovery” of your private information and/or browser history.

[Wowfunhappy]

The only actual solution to this problem is some kind of human review.

I wouldn't be against an "App Store" model provided users could go around it if they chose. I think Mozilla does something like this with certain "featured" extensions?

[techdragon]

You would need to have code review on every update and to ensure that no code downloads anything it evaluates, and potentially even check for interactions with other plugins which could be compromised to provide eval mechanisms in an effort to “wash hands” of any malicious changes in later updates. (Since the long tail of updates seems to be one of the significant risk factors with less scrupulous actors trying to buy popular extensions for things like ad revenues before later dumping them to people who use them for malware or lousy eventually turning to malware themselves.

A review process can help but sadly it’s got a lot of work to do if it want to actually “solve” the problems here.

[bombolo]

Opera browser used to have human reviewers for extensions. They were even commenting on code quality and rejecting until their fixes were not implemented.

I don't know if they still do it now or even if the browser is still developed.

[dotancohen]

  > it feels like a gap in the permissions model.

It _is_ a gap in the permissions model.

[zo1]

Then they need to be that explicit in other places too for consistency. Technically 3rd Party cookies also allow the same (tracking your browsing history, and other "worst case" results), but do they present it that way to the user when the user starts up Chrome and/or loads up google.com?

Try analyze these things while wearing a tinfoil hat. Google wants to gimp extensions so that we're one-step further away from tampering with the precious data pipe that Google wants from their servers to the user's monitor/eyeballs. If it gets in the way of that, they will neglect it (whether purposefully or conveniently unintentionally like these seemingly benign wording).