[techdragon]

The problem is the gap is a mile wide. If you can see the current page url, you can see the next page URL and thus one page at a time you have the users browsing “history” from the moment they installed the extension, if you can run arbitrary JavaScript then you can check the back URL, you could potentially add some scope related restrictions to what injected JavaScript can do based on the permissions of the injecting extension but that still doesn’t stop the sort of “one page at a time discovery” of your private information and/or browser history.

[Wowfunhappy]

The only actual solution to this problem is some kind of human review.

I wouldn't be against an "App Store" model provided users could go around it if they chose. I think Mozilla does something like this with certain "featured" extensions?

[techdragon]

You would need to have code review on every update and to ensure that no code downloads anything it evaluates, and potentially even check for interactions with other plugins which could be compromised to provide eval mechanisms in an effort to “wash hands” of any malicious changes in later updates. (Since the long tail of updates seems to be one of the significant risk factors with less scrupulous actors trying to buy popular extensions for things like ad revenues before later dumping them to people who use them for malware or lousy eventually turning to malware themselves.

A review process can help but sadly it’s got a lot of work to do if it want to actually “solve” the problems here.

[bombolo]

Opera browser used to have human reviewers for extensions. They were even commenting on code quality and rejecting until their fixes were not implemented.

I don't know if they still do it now or even if the browser is still developed.