Exactly - it blows my mind how normalized the permission Access your data for all websites is (I think it's Read and Change all your data on all websites for Chrome). I use only one or two extensions because of this. Why does a procrastination tool need such an insanely broad permission?
I wrote a Chrome extension[1] that reads no data but places a colored translucent div over the page. It requires that same "change all your data" permission.
My takeaway lesson is that the permissions model for extensions is confusing and nearly useless.
I also have a Chrome extension that needs access to page content on all pages, for the purpose of making text easier to read.
I could see distinguishing between extensions that in any way exfiltrate data from the pages you view, versus extensions that process the DOM and do something locally, but never send the data anywhere.
This requires a bit closer vetting than Google currently does, I think. To demonstrate that all processing happens locally, we encourage our users to load various websites with our extension toggled off, then go into airplane mode, and then turn our extension on. This doesn't strictly guarantee that we're not separately exfiltrating data (we aren't), but it does prove that our core process happens locally.
Yeah, it could make sense for them to structure their extension framework so that developers could work with website data in a sandbox, if their use case allows for it. That would enable developers who don't need to send data to a server for processing to prove that the data never leaves the user's machine.
I can see how many applications might want to read the page, but in my case it's not necessary. My extension tries to add a <div> under the <body> element, regardless of what's going on in the page. If there's no <body>, my extension stops working but the browser keeps going.
In short, if there were separate "read" and "write" permissions, I would only need "write". For privacy-concerned people, that's a very important distinction.
If it operates on more than one domain, it needs those permissions to function based on how the permissions system works. You can limit those yourself in the settings page for the extension, but everything else is basically workarounds applied to avoid that permission.
For example, a web clipper operates on multiple domains, but it can avoid it by using activetab permission instead and then offering optional permissions if it wants when you click on the clipper extension icon.
If you want something to be done automatically on multiple domains, this is not possible without that permission. Not unless you want to annoy users with prompts.
No, but (1) you are trusting the extension to not do that, and (2) even if you vet the extension now, it could change in the future. Or am I mistaken? My understanding is that by default, extensions update automatically. If you accept these permissions initially, then you implicitly accept them for any future update. The alternative is keeping track of and updating every extension manually, re-vetting each one every time.