Love the idea. I wish chrome extensions had a more granular permissions structure and/or reminders/security checkups on installed extensions and their permissions.
As it is the content scripts manifest permission for https://*/* for content.js is always so jarring to see. For those that don’t know this allows the extension to run that script on every site you visit after clicking accept ONCE when you install the extension. That means it can see financial info, health info, legal info, your diary, etc…
Now this makes sense from a usability perspective (I never have to see a cookie banner ever again!), but the author could change content.js at any time and the extension would continue to run without prompting the user.
This is not an attack on you Mitch! It sure looks like you’re trying to provide value in this world rather than take it. Rather it’s an attack on Google’s extension security model I’m really shocked google has not taken a more careful and nuanced stance to protecting users from a security standpoint.
I write this as a fellow chrome extensions dev. I wish I had better more granular permissions structures to protect my users and give them more information about what I am requesting and why along with regular reminders so they can make informed decisions about what they want to share.
The broad permissions were required from a usability standpoint. Granting permission on every site for this extension would just be a 1 to 1 replacement of clicking reject on the banner or pop up for every site.
I would hope that before Chrome approves an extension to be added to the store that they are auditing the content of package.
Personally, I would still love a site-by-site "reject non-essential cookies" prompt from an extension that's in the same place, with the same UI, on every site. Still a click, but lots better than having to figure out how to accomplish it on each and every site.
Exactly. The biggest pain is to read and figure out what the next button actually does. Is the big Button an except all? Use selected? Or what ever wording they use. I might not want to block cookies for certain pages. So an extension that finally creates this single UX flow would be very helpful indeed.
One of the reasons Manifest v3 was started is that is impossible for an extension that eval's arbitrary code from the web (or downloads, say, a dynamic list of data and acts on it).
Fundamentally there is no reason anyone in their right mind should install an extension released by an individual with these permissions. It is a post-decryption access to every single thing you do online. It is absolutely insane to trust your web browsing to a random browser extension, even a useful one ("cloud to butt" is my favorite example of people deleting their entire security model for a joke).
Anyone can buy out or compromise this developer and slide complete takeover of your online life into an extension update.
As it is the content scripts manifest permission for https://*/* for content.js is always so jarring to see. For those that don’t know this allows the extension to run that script on every site you visit after clicking accept ONCE when you install the extension. That means it can see financial info, health info, legal info, your diary, etc…
Now this makes sense from a usability perspective (I never have to see a cookie banner ever again!), but the author could change content.js at any time and the extension would continue to run without prompting the user.
This is not an attack on you Mitch! It sure looks like you’re trying to provide value in this world rather than take it. Rather it’s an attack on Google’s extension security model I’m really shocked google has not taken a more careful and nuanced stance to protecting users from a security standpoint.
I write this as a fellow chrome extensions dev. I wish I had better more granular permissions structures to protect my users and give them more information about what I am requesting and why along with regular reminders so they can make informed decisions about what they want to share.