If the Chrome team also have access to the source of these plugins, it seems pretty irresponsible that there's no audit process whatsoever. There should at least be random audits, particularly of popular applications.
Chrome supposedly has a better security model (not to say that FF's is bad), but if it gets in the way so much that users are in the habit of allowing all extensions access to everything, then it's not really better.
"Changes to default home page and search preferences, as well as settings of other installed add-ons, must be related to the core functionality of the add-on. If this relation can be established, you must adhere to the following requirements when making changes to these settings: The add-on description must clearly state what changes the add-on makes. All changes must be ‘opt-in’, meaning the user must take non-default action to enact the change. Uninstalling the add-on restores the user’s original settings if they were changed."
Some things that could be improved upon is better sandbox. Too many extensions seems to need my data on all sites. Maybe some extensions could work just as well with a copy of the DOM instead of the DOM itself?
And a policy that extensions must not be minified and some buttons on the extension view to read the source code with syntax highlighting and all.
Google's corporate philosophy seems to be to reduce manpower needed to run operations to the bare minimum possible, and if something cannot be automated, they prefer not to do it, thus maintaining their high margin of profit.
That's why they try to tweak the search algorithm instead of banning or downranking abusers outright, have no approval process for the Android market, make it next to impossible to reach a human for support for Google Apps, Gmail etc.
That's the reason they have only 29,000 employees, compared to 19,000 in just Motorola Mobility.
So don't hold your breath waiting for the Chrome team to audit extensions or Chrome apps anytime soon.
I wish they could atleast crowdsource some of the work, like allowing search users to label spammy sites and downrank them based on the the collective users' authenticity(calculated from Gmail account's age, usage, Google+ usage) so that spammers can't do the same.
Ah yes. I remember: "pretty fucking bad, man".
If the Chrome team also have access to the source of these plugins, it seems pretty irresponsible that there's no audit process whatsoever. There should at least be random audits, particularly of popular applications.