[mmahemoff]

Pretty much the same, which is different to general websites, which do on-demand permissions (as with iOS model).

Chrome extensions can request only access to specific URL regex's, so they can be fine-grained about location, but the actual permissions tend to be coarse-grained. And as a user, you can't change the URL regex (that's some low-hanging fruit right there - users should be able to edit the URL pattern for any extension).

In some respects, Chrome apps are morphing to be general websites (e.g. with manifest.json and installing to home screen on Android), so hopefully things will move more in the direction of the web. There were also some hints towards on-demand permissions in the security talk at the most recent Chrome Web Summit, I'm not sure it's proceeding.

[tracker1]

I really appreciate that an SPA can function more as an offline application, not just a website. I wish that there were a standard endorsed beyond just the manifest.json though... I wish there were a .{someExtensionThatIsReallyZip} package that contained a manifest.json, as well as all other files that package needed... this is how chrome extensions are, but it would be nice to see a standard model for apps supported by more browsers for this.

For all the things I didn't/don't care for regarding flash and silverlight, having a single compressed downloadable package is a nicety. I think Silverlight did a better job of it though. When Adobe bought Macromedia, my sincere hope was that they'd turn flash into a more open format that was an archive manifest with svg, mp3 and other assets with closer to plain JavaScript for their part. That could have been something browsers would be more likely to have embraced.

[TazeTSchnitzel]

>Pretty much the same, which is different to general websites, which do on-demand permissions (as with iOS model).

Websites are different probably because it wasn't Google who designed their model, thankfully.