[mmahemoff]

"This extension will have access to your browsing history and private data on all websites".

Which is usually accompanied by the developer apologising and explaining they have to declare this in order to provide the extension's core functionality. Users then learn to ignore these warnings, malicious extensions ensue.

I'm glad Google is taking malicious extensions seriously, but purging is a difficult semi-manual effort when extensions can update any time. A lot more effective would be to bake security into the whole model. Extensions shouldn't need to see your entire browsing history on all sites just to enhance some links or do syntax highlighting.

It should also be possible to request permissions on demand, and for certain URLs, instead of blanket-consenting before the extension is even installed. I know these things are a trade-off with simplicity, but should at least be there for orgs and individuals who want to take advantage of them.

[TazeTSchnitzel]

Sounds like Chrome's "security model" for extensions is just as awful as Android? Large, sweeping permissions categories rather than fine-grained control, and all-or-nothing acceptance.

[mmahemoff]

Pretty much the same, which is different to general websites, which do on-demand permissions (as with iOS model).

Chrome extensions can request only access to specific URL regex's, so they can be fine-grained about location, but the actual permissions tend to be coarse-grained. And as a user, you can't change the URL regex (that's some low-hanging fruit right there - users should be able to edit the URL pattern for any extension).

In some respects, Chrome apps are morphing to be general websites (e.g. with manifest.json and installing to home screen on Android), so hopefully things will move more in the direction of the web. There were also some hints towards on-demand permissions in the security talk at the most recent Chrome Web Summit, I'm not sure it's proceeding.

[tracker1]

I really appreciate that an SPA can function more as an offline application, not just a website. I wish that there were a standard endorsed beyond just the manifest.json though... I wish there were a .{someExtensionThatIsReallyZip} package that contained a manifest.json, as well as all other files that package needed... this is how chrome extensions are, but it would be nice to see a standard model for apps supported by more browsers for this.

For all the things I didn't/don't care for regarding flash and silverlight, having a single compressed downloadable package is a nicety. I think Silverlight did a better job of it though. When Adobe bought Macromedia, my sincere hope was that they'd turn flash into a more open format that was an archive manifest with svg, mp3 and other assets with closer to plain JavaScript for their part. That could have been something browsers would be more likely to have embraced.

[TazeTSchnitzel]

>Pretty much the same, which is different to general websites, which do on-demand permissions (as with iOS model).

Websites are different probably because it wasn't Google who designed their model, thankfully.

[afarrell]

It sounds like you would need the ability to access all the data on the page but not be able to phone home. Enforcing that sounds like a nightmare.

[pyre]

Right now extensions can provide a regex of the URLs that they will be enabled on. Obviously a malicious developer will just say "all" though.

[dogecoinbase]

Please tell me that it actually displays a regex to the end user during installation and asks them to read and approve it.

[pyre]

This has been there from the very beginning (as it was a part of GreaseMonkey/UserScripts), but it's not part of the permission system. This is the developer saying "only enable the extension on these pages." So the system to enforce this is in place, but it's not treated exposed to the end-user.

[joliv]

IIRC (using Firefox nowadays) it did tell the user what sites it was allowed on, although it did this through wildcards (e.g. "http://news.ycombinator.com/*") instead of regexes.

[grrowl]

Unfortunately it's hard to access /any/ information on a page without accessing /all/ information on a page. Unless the page can expose the data itself (say, through an API) an extension will need to access the DOM. Accessing the DOM means data leakage from that page to potentially any server.