I've created a few Chrome extensions, and I constantly get bombarded with aggressive emails practically demanding that I accept financial compensation in exchange for adding whatever sketchy javascript snippet they want me to add. Some even have the nerve to follow up as if they are offended by my silence when I don't respond to them. I'm not sure how those people even got their hands on my email address.
What infuriates me is that even extensions that are widely known to have succumbed to these sinister offers to include borderline malware in their extension, such as Hover Zoom, are not punished in the slightest even after being caught, or even required to remove the malicious javascript snippet.
What the hell is the point of all these XSS prevention measures in modern browsers, such as reflected XSS prevention, CSP, script nonces, etc. when all you have to do to bypass all of them is make your own browser extension? Is the team at Google that handles Chrome extensions completely unable to communicate with the team that handles browser security? The left hand has forgotten that the right hand even exists. I nominate Google as the company that the movie The Cube was warning us about.
If the suspiciously nameless author of this article wasn't paid by Google to write it, then he ripped himself off. If the author had performed the most basic research into the topic he was writing about, he would have learned that Firefox's approach to extensions is perfect and is the only reasonable solution to the security problems that exist with Chrome's extensions. An actual journalist writing about this topic would have swiftly concluded that Google should be lambasted for its blunders and mocked for not living up to Firefox's standards, rather than being borderline worshipped for barely doing anything to fix a horrific problem they openly invited in the first place.
What infuriates me is that even extensions that are widely known to have succumbed to these sinister offers to include borderline malware in their extension, such as Hover Zoom, are not punished in the slightest even after being caught, or even required to remove the malicious javascript snippet.
What the hell is the point of all these XSS prevention measures in modern browsers, such as reflected XSS prevention, CSP, script nonces, etc. when all you have to do to bypass all of them is make your own browser extension? Is the team at Google that handles Chrome extensions completely unable to communicate with the team that handles browser security? The left hand has forgotten that the right hand even exists. I nominate Google as the company that the movie The Cube was warning us about.
If the suspiciously nameless author of this article wasn't paid by Google to write it, then he ripped himself off. If the author had performed the most basic research into the topic he was writing about, he would have learned that Firefox's approach to extensions is perfect and is the only reasonable solution to the security problems that exist with Chrome's extensions. An actual journalist writing about this topic would have swiftly concluded that Google should be lambasted for its blunders and mocked for not living up to Firefox's standards, rather than being borderline worshipped for barely doing anything to fix a horrific problem they openly invited in the first place.