[londons_explore]

The problem is most codebase are huge - millions of lines when you include all the libraries etc.

Often they're compiled with typescript etc making manual review almost impossible.

And if you demand the developer send in the raw uncompiled stuff you have the difficulty of Google/Mozilla having to figure out how to compile an arbitrary project which could use custom compilers or compilation steps.

Remember that someone malicious wont hide their malicious code in main.ts... it's gonna be deep inside a chain of libraries (which they might control too, or might have vendored).

[londons_explore]

For example, the following hidden anywhere in the codebase allows arbitrary code execution even under the most stringent JavaScript security policy (no eval etc):

I=c=>c.map?c[0]?c.reduce((a,b)=>a[b=I(b)]||a(b),self):c[1]:c

(How it works is an exercise to the reader)

The actual code to run can be delivered as an innocuous looking JavaScript array from some server, and potentially only delivered to one high value target.

[ikekkdcjkfke]

And the reason we can’t put execution of non-declared code behind a permission is because one anal developer at chrome thinks that we shouldn’t break existing sites even though no serious site would do this and you could just show a permission popup with triangle exclamation mark

[londons_explore]

That's what's great about this - it is an interpreter which allows the attacker to do absolutely anything, but no non-declared code is directly run.

[johnebgd]

Users have largely been trained to click okay when asked to give permission without thinking.

[arein3]

Let me ask gemini

Wow, it deconstructed it beautifully

A Concrete Example Imagine you pass this array to the function: ['alert', 'Hello World'] Here is the step-by-step execution:

  Initialization: The accumulator a starts as self (the window object).
  Iteration 1 (b = "alert"):
  I("alert") returns string "alert".
  It tries a["alert"] (which is window["alert"]).
  This finds the alert function.

  New Accumulator a: The alert function.
  Iteration 2 (b = "Hello World"):
  I("Hello World") returns string "Hello World".
  It tries a["Hello World"]. The alert function does not have a property named "Hello World", so this is undefined.
  The || operator moves to the right side: a(b).
  It executes alert("Hello World").
  Result: A browser popup appears.

[cj]

Isn’t minified code banned from chrome extensions?

[electroly]

Google allows minified extensions and doesn't require you to provide the original unminified source. I've never provided Google the real source code to my extension and they rubber-stamp every release. The Chrome Web Store is the wild west--you're on your own.

Mozilla allows minification but you're required to provide the original buildable source. Mozilla actually looks at the code and they reject updates all the time.

[cj]

Obfuscation is banned. Minification is not.

https://blog.chromium.org/2018/10/trustworthy-chrome-extensi...

[sixtyj]

Probably off topic: I once tried to find bad code in a WordPress theme. And it was hidden so deep and inconspicuously. The only thing that really helped was to do a diff.

In JS this can be much harder to find anything suspicious when the code can be minified.

But back to Firefox: My house, my rules. So let external developers set some more strict rules that discourage the bad actors a little.

[sixtyj]

When managers take up their positions, they must sign not only their employment contracts but also various codes of ethics and other documents.

When a survey was conducted on the misuse of finances and powers, it was found that managers who did not sign the code (because they had to study it and then "forgot" to do so) were more likely to cheat than those who actually signed the documents.