Post author here! I wrote this post five years ago. Since then, my conviction in the value of customizable software has only grown, but I've also updated my thinking in a few ways:
1) AI
AI is rapidly getting better at coding. Current AI is often bad at high-level architecture but is capable of making small local tweaks. Seems like a good fit for the kind of code you need to write a browser extension!
I'm exploring this direction; wrote more about it in "Malleable software in the age of LLMs" [1]
2) Security
Having talked to people who worked on various extension platforms including the browser extensions API, I see more clearly than I did five years ago that security is often the key bottleneck to deploying extension platforms meant for mass adoption. Anytime you want everyday computer users to be installing invasive extensions to important software from untrusted third parties, it's gonna be challenging to protect them.
That said, I still think that conversations around extensions tend to focus too much on security at the expense of all else. Customizability is important enough that it may be worth prioritizing it over security in some cases.
I also think there are many reasonable paths forward here. One is to exchange extensions with trusted parties -- e.g, coworkers or friends -- rather than installing from random people on the internet. Another might be to only build your own extensions; perhaps that'll become more viable with AI-assisted programming, although that introduces its own new security issues. And finally, I've met a few people who have smart ideas for architecting software in a way that helps resolve the core tensions; see [2] for an example.
3) Backend access as a key limitation
I've increasingly realized that the fact that browser extensions can only access client code in a fairly server-centric web means that many deep customizations are out of reach. Perhaps you can't read the data you want, or there's not a write API to do the thing you need.
While I'm optimistic about what extensions can do within the boundary of the client, this is an inherent limitation of the platform.
At Ink & Switch (the research lab I now work for), we're working towards local-first [3] software: collaborative software where the data and the code lives on your device. Among other benefits like privacy, we think this is the right foundation for more powerful extensions, since your data and the app code aren't locked away on a server.
The security problem of open platforms is the key.
Anything that is open enough to let someone who knows what they're doing customize the system to their liking, will also be abused by bad actors persuading people who don't know what they are doing to customize the system in ways that harm them.
The fact I can write my own custom keyboards on Android is great! But the fact someone can convince your grandparents to install a keyboard that includes an embedded key logger is not!
Browser extensions have always been a malware-rich ecosystem. Joking about removing all the toolbars from your parents' Internet Explorer whenever you went home for thanksgiving dates back to about 1999.
Custom keyboards are a great example of an app that - by default - shouldn't have write access to shared resources (that is, no network access, no writing to files which other apps can read).
Adding either of those entitlements to a keyboard app should require extremely scary dialogs. Needs to be possible - perhaps you want your password manager with sync to be part of the keyboard app - but it's clearly a huge risk.
Until you want to be able to download language dictionaries or updated language model.
Or if your keyboard is actually a remote keyboard or shared keyboard taking input from some other devices.
> Until you want to be able to download language dictionaries or updated language model.
You don't need the keyboard application to be able to communicate externally for that. You could have a separate, optional, downloader/installer. That's better for security all around.
Mobile OS vendors have already thought of that and came up with the exact same solution of requiring entitlements to access the network from a keyboard app:
The question is do you actually trust regular users to understand what’s going on when they’re asked for permission to grant an app the ability to do something sketchy?
Bear in mind that on iOS, you can't just prompt for permission; those "regular users" need to be able to navigate to the settings app, find the relevant (deeply nested) section, and enable it there.
That narrows the gap significantly - to users who can't understand the issues, but can (even with the app providing an explanation) find reasonably well-hidden settings.
I've heard from a couple developers over the years that it's entirely impossible to implement a setting that will not be changed by people who don't know what it does.
It doesn't matter if it's behind a footnote, an easter egg, a password input, a magic email code, a call with the main project developer, all of the above, etc. No matter how many steps you try to add, there are still an incredible number of idiots who will mindlessly tap through literally any number of dialogs, warnings, and disclaimers to get to what they want.
Their brain will entirely filter out the path they took. They will probably not even remember a single one of those intermediate steps. The only thing they care about is that they're fixing some problem.
This could be one of the reasons Apple and Google don't want you jailbreaking/rooting your devices. Someone will inevitably make a guide, and millions of idiots will follow it. It will legitimately make the device less secure for them because they won't have any idea what they are doing and likely won't even remember doing it. The only thing they care about is that they're fixing some problem.
This is one reason why some people get so panicked and upset when anything on their computer changes unexpectedly, even if the change is actually harmless. They never actually understood anything. They had managed to accidentally get it how they want it through a combination of stuff that they don't remember. When anything changes, they have to go through that process again.
Look, these people are great at following guides and learning routines. Repetitive, mindless tasks like data entry are perfect for them, because they have no other talent to worry about wasting. But because these people exist, you have to be really careful about what settings you add, no matter how well you think it is hidden, because they will be changed by people who don't know what they're doing.
So far, the devs that have told me this have done so because I asked for some setting to turn off some safeguards, and they said that it's a near-universal request from power users, but they still can't do it, because the rest of their userbase is too clueless to be trusted with that setting. They'd receive bug reports from people who have no clue what went wrong, when the reality is that they disabled the safeguards in order to make something work, and then promptly forgot what happened once it worked the way they wanted. This has supposedly happened so many times in the past that they just don't take the risk anymore.
Anyway, all this is to say that while hiding a setting, as opposed to automatically prompting for it, can definitely rule out a decent chunk of idiots, you will never be able to rule out the resourceful idiots that can mindlessly follow instructions.
I'm biased because I'm neurodivergent, which means I don't have as much experience with neurotypical thought processes.
While I do use search engines and the resultant resources all the time, I don't follow steps completely cluelessly/mindlessly and later forget that I did it. I don't know what the equivalent would be for non-tech - I at least try to understand what a guide is doing so I can reproduce it independently later. I try to develop basic intuition for everything that I do. It is hard for me to imagine someone who lacks that ability. I don't mean to be offensive to anyone in particular, I just use "idiots" for the sake of argument to explain how any setting will eventually be found and changed.
Is it normal to forget the steps you took to accomplish a task? To, say, specifically turn off a setting for crash protection, then completely pull a blank if the program gets into a crash loop later?
It’s not necessarily that you will forget that you changed a setting.
What’s more likely is that if you change a setting with an incomplete mental model of what that setting affects, you might later discover that it opened you up to some risk that you did not appreciate when you made the change.
This affects technical users just as much as nontechnical users, it just kicks in at a different level.
A user who clicks the ‘install anyway’ button on an OS warning dialog telling them they are about to run untrusted software might be doing so without an appreciation of quite how many safety features they just disabled, so when asked later on ‘when did you turn off your firewall?’ they honestly don’t know that was something they ever did.
But likewise, a developer who enables a setting to solve problem A, without realizing that that setting will also screw them when they run into problem B, is… basically the cause of 99% of debugging.
‘It can’t be DNS because that would always be cached, unless there’s some setting that… son of a bitch, who knew that when you enable debug logging it disables DNS caching?’ - some developer somewhere at least once a day
> Yes, it’s very common. Immediately after doing it, in fact.
Do you not even make mental notes of permanent changes you've made to the system...?
I mean, I don't think you'd, say, turn off some crash protection and then later complain about crashes. You'd remember that you previously turned it off, wouldn't you?
> I’m biased right now because you assume stuff about me that you maybe shouldn’t.
I only talked about "typical thought processes" because you said "we all" which I assume meant the general population. Didn't assume anything about you.
Even though the base problem was given to me by another, everything I wrote about "what makes a resourceful idiot / how they are a problem" is based on my personal perception of the ones that I've seen. Which is most likely going to be a neurodivergent's impression of certain neurotypicals. AKA biased.
And the "I don't think" was leading a question, not making an assumption about you.
> Everyone’s experiences and thought processes might be starkly different from each other.
...which is I'm so hesitant to believe that everyone is a resourceful idiot.
And why I made a disclaimer about the fact that my own thought processes might be starkly different from not just who I'm describing, but other brains in general.
At this point I don't really know if you understand what 'neurodivergent' means. People who suffer for neurodivergency does not have different mental mappings than those who are neurotypical. Also, the way they construct their own world does not differ from neurotypical.
The mind process you have described is pretty standard, even using some different things to recover information instead of saving it. There is no neurodivergent path of extracting information and there is no neurodivergent understanding of reality or neurodivergent thought process.
This comment is puzzling to me on several levels, but I'll just go to the centre of the topic. Do you feel that something needs to be addressed about the way LoganDark disclaimed that they were biased on account of their neurodivergency?
> At this point I don't really know if you understand what 'neurodivergent' means. People who suffer for neurodivergency does not have different mental mappings than those who are neurotypical. Also, the way they construct their own world does not differ from neurotypical
to
> Do you feel that something needs to be addressed about the way LoganDark disclaimed that they were biased on account of their neurodivergency
> People who suffer for neurodivergency does not have different mental mappings than those who are neurotypical. Also, the way they construct their own world does not differ from neurotypical.
You would be surprised.
> The mind process you have described is pretty standard, even using some different things to recover information instead of saving it.
Well, I'm glad that it seems accurate at least. I was trying to describe a "standard" process, after all.
I should let you know, though, that my brain doesn't work that way. Reason why I say I'm biased is because I don't see what I described as a particularly interesting way to live life, so my description of it might be overly cynical / insulting.
> There is no neurodivergent path of extracting information and there is no neurodivergent understanding of reality or neurodivergent thought process.
I don't know about a neurodivergent path of extracting information either, but you should know for a fact that certain neurotypes, such as autistic ones, do have a different thought process than normal.
When I think about something, my brain will also pull up every possible related thing and assemble an entire picture for me automatically. This is usually called something like "increased associative ability". I'm just very good at considering very large quantities of facts simultaneously.
It's not the same as being reminded of something I know. It's recalling every thing I know simultaneously that could possibly have any effect or be related in any way. Anything that could possibly have relevance.
I get that "for free" as a part of my neurotype. A neurotypical person would likely have to do that consciously or go through some sort of mental process in order to reproduce the same result. I don't have to do that. It happens automatically and instantly.
But because it happens automatically, I can end up looking really awkward because I tend to not be conscious of my processing delays. For example, someone asks me a question, I go "what?" and then give them an answer anyway before they can repeat it. For a second I thought I didn't hear the question, but it was just processing in the background.
Everything processes in the background for me. Thoughts just evolve on their own, draw from relevant memories on their own. All I really have to do is watch.
Try telling me that everyone's thought process works that way.
No, some set of people will forget. Even if they intended or desired to remember. Mental notes fade for some set of people. And at different time lengths.
hmm, I suppose that's true. I have a lot of friends who also have dissociative disorders, and some of them just dissociate all the time and forget everything, regardless of whether they would've forgotten normally
Executing untrusted code would be a lot safer if browsers and mobile OSes would make it easy to provide fake resources to the app/extension.
Yes, you may read my phone contents, and as far as you know, it's the contents, the whole contents and nothing but the contents - it just happens to be a folder to me. An empty folder. It's a new phone you see.
Yes here's my contact list. Sorry it's mostly empty, there's just the costly premium number in there. I hope your mothership doesn't try to call it.
Yes, here's my microphone. Oh thank you, yes, I do a good impression of Rick Astley.
Pictures on my phone? Oh yes, right this way. It's all pictures of turnips. Do you like them?
Similarly every browser should have the capability to report to sites that the user has notifications enabled when they actually don’t to end those annoying in-site “pre-prompts” which bait you into saying no to the pre-prompts so they can try to ask you again later, rather than just deal with the fact that the user denied permission with the browser-level prompt and isn’t interested.
I don’t think this is a bad idea per se (after all a fundamental principle of the open web is that the user should control the browser). However, although your suggestion is fun, it is mere civil disobedience for geeks.
The million dollar question is: how do you deliver those capabilities (a) without having grandmas phone full of spyware and (b) without giving your favorite Silicon Valley thought leader a 40% cut and total control of the ecosystem?
I don’t have the answer. Just trying to formulate the problem.
> The million dollar question is: how do you deliver those capabilities (a) without having grandmas phone full of spyware and (b) without giving your favorite Silicon Valley thought leader a 40% cut and total control of the ecosystem?
That seems orthogonal? Grandma's phone has the same spyware either way, but this makes it a toss up whether it can spy on anything real
iOS does offer options for "read selected photos" and "add-only photos".
Contact list subset and pseudo-sensors (camera, microphone, accelerometer, barometer) are much needed.
Preset location is also needed, but some apps enforce DRM or other policy by location.
App-level network policy (whitelist, blacklist) is needed. For enterprise MDM, iOS allows per-app VPNs, which could enforce app-specific network filtering. With Apple Configurator policy files, Safari can have on-demand VPNs for specific websites.
> iOS does offer options for "read selected photos" and "add-only photos".
The annoying thing here is how apps insist on either requiring full album access so they can implement their own photo picker or don’t provide a button to re-trigger reselection of “selected photos”.
I wish they’d just use the standard OS selector dialog and call it a day. I don’t care if the standard selector doesn’t meet some stupid product requirement, it’s good enough.
The issue the parent is trying to solve is you don't really have fine grained enough control, or apps nag you and won't load until you give them everything they want. My mom has a cheap camera security app that allows me to see the live streams from remote. Every single time I open the app it asks me again if I want to allow it access to my local network. The answer is a resounding "no". If I could just say "fake yes, here is my fake network", then I wouldn't be continually coerced into giving permissions to something I really don't want to share. I can think of many similar examples, another really common one is giving apps access to my contacts. Absolutely not, stop asking me, here is "Uncle Bob" with phone number 1-222-222-2222. Leave me alone
I wish it were easier to deny internet access to Apps. It isn't a perfect solution but it prevents the simplest data theft. Unfortunately side channel attacks are still too easy: Either a cooperating app, or send once of high value data via a link click opening the browser.
From what I can tell, internet access is the default just to allow apps to have advertising. Too cynical?
Android originally could deny internet access to Apps which I found useful.
Certainly I don't want an extension or plugin to have pull access to the internet. That may limit functionality. But often only push is needed (e.g. blocking list could be pushed). No third-party keyboard should have internet access.
Denying access to apps: if you're on android, you can root it and use AFWall+, which just sets up a basic linux firewall - but apps are installed as individual users, so you can just allow the apps that actually need internet - messengers and browsers, and things you want to sync across networks.
XPrivacyLua for Android does just that. It requires LSPosed, which enables deep modifications of the OS and other apps. Needless to say, that has its own security implications.
Denying "local network" permissions is hilariously worthless. On both Android and iOS all it does is prevent software from sending out multicast packets (for things like device discovery, Chromecast, etc. that don't use DNS-SD), it can still go ahead and just start trying to iterate through the entire RFC 1918 address space and try to connect to everything on your network.
I spent a bunch of time trying to figure out how I would implement such a feature on a standard Linux system to sandbox apps on my PinePhone, but there's no sane way you can implement a standard "you can have internet access but not touch my local network" policy.
Well, maybe the best reaction would be to uninstall the app and give it zero stars.
Of course, if you've bought hardware controlled by it, that's unfeasible. Keep it in mind for next time.
I don't suppose there are review sites that mention how predatory and nagging a mobile app is?
I've basically given up on mobile apps around when the ipad 3 was launched and never looked back. The reasoning being that i got an ipad 1 when it was new, and you could still find pay once games then. But they all got replaced by free to play gambling applications mislabeled as 'games'. Then the news about utility applications tricking you into $50/month subscriptions came about...
I'm so excited about the malleable software / local-first / local-AI crossover, I feel like we are at the dawn of a new era of software. If we play our cards right, we can bring back control of our data from the large corporations, have ownership, and more control of how we work.
I'm particularly interested in how general purpose CRDT toolkits like Automerge and Yjs could become the backing filetype for local-first software with interoperable sync/collaboration backends. The user can then have direct access to the underlaying data via standard tooling. Files can be linked, embedded within each other, forked and merged.
We could have a new hypermedia platform built on this, where all documents are possible to be shared, forked, edited in realtime...
Basically, love what you are all doing at Ink and Switch, excited to see what you publish next.
taking back control from evil corporations is a funding/finance problem, not a technology problem. Everyone dreams of democratized ownership until they have to pay the huge developer salaries. and the go to market costs are even higher than that, all channels are saturated and you have to be louder than the noise.
It’s absolutely a technology problem. The hacker mentality is still the one who innovates and a single person is more than enough to make a significant contribution towards a very different future. That person is probably already working on it.
And here I will interject and argue a third point that it's primarily an organizational problem, and I am already working on it.
Not ready to spill the beans yet though on my projects, first have low back surgery tomorrow to get an artificial disc put in between L5-S1 - and will see how much my overall pain goes down, and how much my productivity can go up - before knowing when I can make any public announcements.
Major limitation of browser extensions is that if you want to just write them for yourself, there's no user friendly, scalable way to install them. There's no way to tell the browser that you trust all extensions in some directory to be loaded automatically and be used without signing and without maybe even having to be packed into XPI file. There's no "put a bunch of code+manifest into a directory and have browser use that" feature. This kind of simple deployment drove me to write a ton of userscripts when greasemonky just loaded plain files from gm_scripts/ subdir of browser profile directory. It was fun and easy to extend websites back then. Mozilla killed all that.
Deployment is just terrible. There's no way I'm sending my extensions somewhere over the internet to get signed after every change so I can use code I wrote on my own computer. WTF distopia is that? Nevermind the last time I checked the tooling for signing is some stupid ass 100MiB+ NPM/node app I have to now trust too. It's bigger than a freaking Linux kernel build itself.
Just the framing of "browser extensions" is extremely problematic in the year 2024.
Most browser extensions by weight are Google Chrome extensions. Google Chrome is unambiguously demonstrating that no API is safe in its quest to juice revenues. Anybody who builds extensions using Chrome's APIs should be very aware that they're quite possibly putting effort into something a juggernaut will stomp away without a second thought.
I don't care to live in strategically lost situations like this, so I think the conversation should be about Firefox extensions. Which also don't have a great track record (the transition to Google Chrome compatibility a few short years ago still annoys me greatly), but are a qualitatively better counter-party to deal with.
1. They increase the attack surface of the browser
2. They have routinely been transferred to (for money) or taken over by malicious entities
3. Often they subtly break things in ways that are fine for expert users but which result in support reach out by others
Replace browser with operating system or computer and expand extensions to user installable programs and it mostly still rings true.
I believe users should be empowered to modify their installed applications as they see fit.
It doesn't ring true for installed software anymore — "virus scanners" have gotten to the point where they just work for most people, desktop software is more difficult develop (for your average hacker wannabe), more difficult to get users to install, and has far less valuable data to go after.
I actually very much like Apple's approach to browser extensions forcing them to be truly installed software and in the purview of tools that protect the rest of the system.
The Chrome browser extension ecosystem is perfectly fine in theory but suffers from reinventing installed software without taking any of the lessons we've learned about OS software. Nice cautionary tale but the web is different.
On a typical PC, installed software has even more permissions than a browser extension, and all any malware author has to do is write their own keylogger or upload the browser cookie database. Sure, it's a little more effort, but I think the only real advantage that malicious browser extensions have over native programs is the discoverability and auto-update Google and Mozilla give them "for free".
I don't know, it would simple enough to catch, but would also flag access by file managers. Probably the only way is to test. Generally I've found writing malware from scratch is enough to get it through AV, but I only tested on what I had installed.
> It doesn't ring true for installed software anymore — "virus scanners" have gotten to the point where they just work for most people
... by allowing software from big corporations not matter how user-hostile it is while randomly flagging/deleting harmless software make by individuals/smaller groups who have not paid the protection racket.
The AV industry is a scam.
> desktop software is more difficult develop (for your average hacker wannabe)
Desktop software can be written in the same languages as webshit and more.
> and has far less valuable data to go after
All data available in browsers is also available to native programs running besides.
Actually hilarious that we have people here defending removing extensions, as if they didn't live through the days of Internet explorer. Well, maybe they didn't I hope they enjoy the eventual return of popups.
1. They increase the attack surface of the operating system 2. They have routinely been transferred to (for money) or taken over by malicious entities 3. Often they subtly break things in ways that are fine for expert users but which result in support reach out by others
Framing it like that makes it much more simplistic than reality. While there are some people you can clearly place into "best" or "worst", most people fit somewhere along a spectrum where their placement changes day to day. You ever had a bad day where you forgot to do something you would have done any other day?
Do you want software that allows you to do anything on a good day but is potentially catastrophic on a bad day?
The answer may still be yes, but regardless it's a more complicated a question than best vs worst.
Exactly. We can either put bars on our windows to preven criminals from breaking in or we can go after the criminals directly so that we don't have to worsen our living conditions. Both kinds of societies exist - low trust and high trust ones. I prefer living in the latter.
The real quote is more nuanced: "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety". It's a balance, obviously. I'm happy to have guardrails if they improve non-technical users' safety.
Safety is paramount for experts. Those who disregard the importance of safety are likely not experts in their field.
If the "console" analogy doesn't resonate, think of Apple as NASCAR. NASCAR has created a private ecosystem. Participating in NASCAR as a team or a driver is a choice, contingent upon meeting their requirements and paying entry fees. NASCAR implements numerous safety measures — SAFER barriers, catch fencing, HANS devices, etc. — to protect everyone involved, whether spectators (users) or drivers and teams (developers and vendors).
NASCAR prioritizes the ecosystem first, then spectators, then teams and drivers — in that order. It doesn’t compromise the ecosystem or spectator safety to accommodate individual teams or drivers. Driver safety is crucial, not just because NASCAR values them, but because incidents involving drivers can negatively impact the ecosystem and spectators.
Those wishing for NASCAR to resemble the Baja 1000 are tilting at windmills. Similarly, people who want iOS to be like Android aren't just wasting their time, but also disregarding the preferences of users who prioritize platform safety.
> Those wishing for NASCAR to resemble the Baja 1000 are tilting at windmills. Similarly, people who want iOS to be like Android aren't just wasting their time, but also disregarding the preferences of users who prioritize platform safety.
How providing ability to sideload and having ability to use custom browser engine compromise the system? How having ability to use terminal disregard platform safety?
All of those are artificial limitations and you know it.
Most users have no idea the tradeoffs between the two. Or the dominance both have in their respective realms. Or the possibilities of having more viable platform choices.
I’d be really curious about in a system where browser extensions are limited to ~200 lines of code. No mechanism for distribution beyond typing text in. No concerns about permission. It would be interesting to see what people can do in an ecosystem where extensions can actually do anything but it is expected that people will actually read the code before running it.
My reaction would be simpler: Anything that's identified as risky? Show the user. Extension is making an HTTP request? Show the body in a toast. Extension is reading the keyboard? Same thing. Extension is looking at the page? Little icon in the corner showing the name of the extension and that it looked. Can't be turned off. So extensions can still do all that crazy stuff, but they're noisy about it.
If nothing else, basic logs of everything an extension does should be kept so that technically knowledgable users can take a look at the logs periodically (and maybe have them watched automatically by tools) to make sure everything checks out.
1) “identified as risky” seems like it could hide some significant complexity (and room for error).
2) An extension might need to read from the keyboard. I don’t want to OK it every time. If I check once and then mark it as OK, I’d be worried that it could do something evil with that permission somehow, in a far-flung bit of the code.
I'm not saying a popover modal, I'm saying a toast notification or a status-bar icon. Non-blocking.
Like, when you're typing and it's being monitored: in the corner of the window it says"Extension TweetSyndicator is reading your keyboard. Click here to manage extension."
I agree. When an app uses GPS on my phone, I'm informed of that: a notification permanently displays in the top bar until it is no longer being used. Same with the camera and mic. If my clipboard is copied, I get a notification as well informing me of that and telling me which app did it.
I'm not sure why a similar system doesn't exist for browser extensions. Furthermore, there are limits to what features you can and cannot disable for Chrome extensions, and as far as I'm aware there are no logs of what actions they took.
I had an extension that randomly redirected me to scam URLs while doing completely innocuous things such as visiting the homepage for Gmail, YouTube, or performing a Google search (after pressing enter for the initial query, before clicking on any URL.) I had 15 extensions, and the redirects were infrequent enough that disabling extensions one by one wouldn't help much: it could potentially take months to track it down, and there's no way of disabling the permission to redirect to different URLs. I searched the minified source code for all of the extensions that I had, but none of them had the URLs I was redirected to. My guess is that they pulled data from a server and then redirected me to whatever malicious URL it pulled at that time. I also checked network traffic in the Chrome Task Manager to see if there was an extension sending data for unknown reasons, but again, nothing, so it likely periodically pulls a URL to redirect me to from some server, redirects me, and then sleeps for a few days. Short of un-minifying all 15 extensions and trying to understand the purpose of every redirect, many of which would be legitimate, I'm not sure what can be done.
In the end, I removed every last extension aside from my password manager and uBlock Origin (which fixed the issue — over one month later I've never been redirected to a scam URL.) Many of the extensions I used were open source, but I don't think any hash system exists to verify the minified code matches the source files for Chrome extensions (maybe I could do that manually, but I don't want to do that every time there's an update for any of the 15 extensions I had.)
It's unfortunate, as many of the extensions I used improved my productivity and helped me focus better and be distracted less. But as it is currently, the browser extension ecosystem simply isn't safe.
From what I've heard, Firefox's review process is better in some ways than Chrome's, but their extensions can have even more control of your browser.
I don't think it's impossible to design an extension system that is secure: extensions just need to have the ability to be granted extremely limited permissions, and any permission beyond what is reasonable should be denied in the review process for putting it on the Chrome or Firefox extension stores. Most of my extensions shouldn't have even needed Internet access (if they can execute JavaScript, they'd still be able to redirect me to a scam URL, but if it couldn't have pulled a URL from an external server, then the URL would need to be in the minified JS, so I'd have been able to catch it.)
Most browser extensions seem to be used on Firefox, because Google is so hostile to ones on Chrome. With the decline of Firefox, the extension world has shrunk. I had something called "Ad Limiter" on both Firefox and Chrome for a decade. Identical code, even. Google sent me threatening messages last year, as they tightened the screws on ad blockers, and I dropped it for Chrome.
Firefox is not really less hostile now. You can't even install and maintain local add-ons anymore. You can either install them temporary, and they are removed when the app closes. Or you must upload and sign them to their store.
I believe nightly edition and/or developer edition lets you install unsigned addons. Also there's a way to get an addon signed for private non-store use - can't speak to how that works, as my current project isn't quite to that stage yet.
That's a good point. Perhaps Firefox will benefit from an embrace/extinguish maneuver for once. Become compatible with Chrome extensions, then take over the space as Google retreats. This path too passes through no longer referring to "browser extensions".
> Most browser extensions by weight are Google Chrome extensions. Google Chrome is unambiguously demonstrating that no API is safe in its quest to juice revenues. Anybody who builds extensions using Chrome's APIs should be very aware that they're quite possibly putting effort into something a juggernaut will stomp away without a second thought.
How unlike developing for literally any other environment.
I don't know if you're being sarcastic. There's a spectrum between developing for Lua (juggernaut is super friendly), Python (juggernaut is mostly friendly, even if 2->3 caused a lot of casualties), Go (in spite of the corporate backer, quite careful about not stomping) and Chrome.
Yes, there's always a counter-party. My point is it saves a lot of later grief to consider up front the counter-party you're entering into a relationship with. Their incentives and track record.
Google has removed capabilities for certain categories and it's pretty easy to figure out what's going to be risky.
But I use a set of very useful extensions, none of which present any problem to Google, all of which are extremely useful, and all of which I expect to stick around.
You and I lack the imagination to see how those APIs might be hindering revenues. Are you really willing to bet Google will not find a way in the future? I'm not. The need for revenue doesn't just stop. Eventually they'll return to squeeze water from these stones.
Quite right. Google and other commercial platforms may cut features or make breaking changes out of greed, while open source projects do it because they chase shiny things and can't be arsed to do legacy support. The end result is the same.
Has Firefox fixed its syncing feature? You used to have to literally move a profile file around. I remember working in IT a long time ago and Firefox was an absolute nightmare to deal with corporately. But then, back then, we couldn't control Chrome extension installations..
There is a standard for browser extensions. I build also browser extensions before the standard.
So you can build now a browser extension that works in Chrome, Firefox, Edge and Safari.
But indeed, you can also use some specific api's for only a single browser.
That is really bad, like you build a site only for a single browser.
But the base should be compatible.
And because you always can see the extension source code, you can modify a version for your own that works well in your browser. (And you can share it again off course)
"I don't care to live in strategically lost situatios like this, so I think the conversation should be about Firefox extensions."
Why would the conversation not be about editing the Firefox source code to add or remove "features" to meet one's personal needs.
What is the point of "open source" if, to use the term from the submission title, the software is effectively un-"hackable".
There is no small amount of "attack surface", and many unneeded "features", that could be removed from Firefox to someone's benefit, maybe it's only one user,^0 but but that will effectively never happen. Why. It is open source so anyone should be able to audit the code and change it to their liking.
0. To be clear, I am not commenting about "most users" or the majority of users or whatever. I am referring to the small class of users who are explicitly dissatisfied.
In 1995, there were numerous non-commercial browsers. Netscape, the source of Mozilla, was one of the few attempting to commercialise.
There is nothing wrong with having "all-in-one" programs. As long as other "not-all-in-one" programs also exist as alternatives.
Arguably, the aim of the "all-in-one" program may be to obviate the existence of other programs, namely smaller, simpler ones.
Those pushing gigantic web browsers might assume and argue, e.g., that it is inconvenient to have different programs for different tasks. This could be true. For some users. However it is also true that small programs can be made to work with each other. UNIX is the example. Over thirty years of continual growth. The companies behind the giant browsers probably could not survive without it. There is choice.
Large "all-in-one" programs and small ones like UNIX utilities can co-exist. The two are not mutually exclusive.
Personally, I prefer not to use a giant browser to make HTTP requests on the open internet. It is overkill and there is a profound lack of user control. (Hence "solutions" like "sandboxing", and an ever-incresing number of Band-Aids that serve only to add more needless complexity. The companies releasing these giant "all-in-one" programs are funded by advertising. Enough said.) For me the "modern" browser is more useful as an image viewer and media player.
It is possible to "browse" the web without advertising, tracking or other annoyances, I do it every day,^1 but not with one of these giant advertising-supported "all-in-one" programs like the "modern" web browser. It is a losing battle to try. No amount of "extensions" can change the balance of power over those giant programs.
Despite that these "browsers" are "open source", dissatisfied users who know how to program are not editing the source code to remove the bad bits. Instead they helplessly complain in forums like HN.
1. I am not a typical user. (Though I might be in 1995.) I prefer text over graphics. I like to read without distraction. Because text is easy for the user to manipulate, it seems to have a defense against advertising that is not available with graphics. For example, if text ads were inserted into response bodies, I can easily filter them out.
> Why would the conversation not be about editing the Firefox source code to add or remove "features" to meet one's personal needs.
Because extensions are way easier to write, less likely to break because they use mostly stable public interfaces, and don't require an amazingly long compile.
I'd very much love to be able to clearly remove features I don't want and use, including a lot of the things about profiles, then use a tool to remove all unused codepaths to make a fast, usable and hopefully easier to understand product. But who has the time to dig into the behemoths of firefox and chrome today? It's just too much code to easily grasp.
Unlike you I don't have a dislike of graphics. I do however see value in small simple software. The Web is a runtime so very complex that it takes huge organizations to create.
Theoretically, you could sacrifice full compatibility by implementing only the APIs used for Google, Facebook, YouTube, Reddit, Amazon etc. and have something much simpler. But that would still be a hard task because you are making a big compatibility hack for certain websites. Like the wine compatibility layer only for websites. Except that the websites could stop working at anytime and then you'll have to pile on more interfaces to keep up with them.
When evaluating software utility we often times forget that websites are software and don't attempt cost them in. Using them is a recurring cost in terms of complexity. They are definitely not free or even low cost.
"I do however see value in small simple software."
Years ago on HN, I had commenters attack statements I made about the value of small, simple software. They literally challenged the terms "small" and "simple". After that I started prefacing these words with "relatively".
"When evaluating software utility..."
Another time, an HN commenter attacked a statement I made about how I evaluate software for myself. He suggested something to the effect that end users were incapable of evaluating software.
I think the presumption of what users want is a kind of classism. Users are humans and as humans we have a hierarchy of needs that can lead to certain tradeoffs. Doesn't mean only the techies appreciate things like privacy and having agency over software. Just because corporations don't give us a choice doesn't mean "the market has decided". So you aren't an outlier you are just aware and maybe more interested in the problem than someone who isn't a programmer.
The impedence to compiling IMHO defeats the point of open source. I use a text-only browser I can compile in less than a minute. I use an HTTP generator that compiles in two seconds. The so-called "modern" browser is a PITA. A nuisance. An unfortunate necessity for accomplishing certain tasks, e.g., commercial transactions such as banking or shopping. But most of the time I am using the web I am not doing those tasks.
Many popular browser extensions were bought up by data brokers that use them to exfiltrate browser history, so not sure if they’re underrated, I think you have to be pretty careful as the extension security/privacy model is/was pretty awful. I e.g. know screenshotting extensions (Awesome Screenshot) that would vacuum up your browser history and send it to a data broker in Israel. So probably better to have that as a native browser feature.
> Many popular browser extensions were bought up by data brokers that use them to exfiltrate browser history, so not sure if they’re underrated
I would say, as the developer of an upfront paid web browser extension, that upfront paid web browser extensions are underrated. ;-)
It's a truism that if you're not the customer, you're the product. But what if you are the customer? I think a lot of the mistrust of browser extensions is due to the difficulty in monetizing extensions directly. If you're making nothing from an extension, and someone offers you a nice check to acquire the extension, it can be difficult to turn down that money, especially if the extension is a support burdern for the developer. Of course I have my price too, as almost everyone does, but at this point the price would have to be 7 figures (maybe 8??), which I don't think anyone would ever pay for my extension. My user base is relatively small, and thus doesn't provide a huge opportunity for data collection or other nefarious schemes, precisely because the extension is paid rather than free.
Sidenote: The "collaboration" offers come from time to time even to non-extensions projects, if they are reasonably widely used. E.g. simple tools (rather widely used suite of android apps recently sold).
This is fantastic. Too bad they redacted the names. These scumbags deserve to be known. And the saddest part of the story is you don't know if is true or a cover-up. On the other hand it appears to be MIT. Are Google Chrome extensions reproducible?
Yup, and he won't care about the criminal investigation because from other side of iron curtain v2. But if you're from the side where the nation isn't the cover for criminal enterprise you could get in trouble.
The only difference between a paid and unpaid piece of software is the revenue stream. In a paid software, your incentive to not screw over existing users is because your app would get poorer ratings and you won't acquire new paying customers. I've seen many times where a paid app stops growing as much and turns into a subscription model or becomes unpaid, giving paid users some small benefit (or nothing at all) and starts screwing over all users indiscriminately.
Something that’d help here is if extension galleries displayed price tags and let you filter by paid (bonus points for being able to distinguish between one-time and subscription).
Upfront payment does not exclude further monetization at the expense of the user. If anything, it is a signal that the developer is motivated by money.
> If anything, it is a signal that the developer is motivated by money.
Duh?
Who isn't motivated by money, though? The frequent acquisition of free extensions proves that even open source developers are motivated by money too.
The issue, again, is the identity of the customer. Is the customer you, the extension user, or is the customer the advertisers, making you the product?
Yes. Because of this and the lack of fine-grained permissions mentioned by a sibling comment, I tend to use desktop apps where I can instead of extensions, keeping my extensions list quite slim — basically all I install are FOSS extensions by “big” known-good authors (e.g. Raymond Hill) or projects that aren’t going to sell out.
Of course risks exist with desktop apps too, but historically this kind of buy-and-exfiltrate scheme is comparatively rare with desktop apps, particularly on macOS where signed apps are sandboxed and can’t do a whole lot without user permissions.
> I tend to use desktop apps where I can instead of extensions
How locked down are desktop apps now on Mac, Windows and Linux? I haven't kept up. Do they still a lot of access by default to do malicious things with? I recently saw someone install the Adobe Acrobat desktop app and it installed its own extension inside of Chrome without asking. Games can have scary DRM as well.
Chrome extensions can't read/write to arbitrary places on your hard disk without asking for example and you can isolate them within separate profiles. Not saying they're perfect but there is robust sandboxing of what they're allowed to do. I'm curious how this compares to an Electron-based desktop app i.e. which is running Chrome on the inside but with the standard restrictions Chrome places on tabs and extensions unlocked.
> How locked down are desktop apps now on Mac, Windows and Linux?
It’s hit or miss. There have been advancements on macOS and Linux where there are mobile-style permissions and sandboxing in some cases, but one needs to be aware of how apps are packaged to be able to leverage these advancements. Adobe stuff and Chrome on macOS for example have basically free reign still as they have specifically opted out of OS sandboxing, while a lot of small indie apps are sandboxed. Chrome I think can be put in a sandbox on Linux by way of Flatpak.
Windows has done practically nothing and is the same as it’s always been where desktop apps can do basically whatever they please, especially if given privileges with UAC (which seemingly every other Windows app needs for some reason).
Windows introduced better mobile-style permissions and sandboxing with the APPX format in Windows 8. However the only incentives to use it was the ability to build UWP apps and accessing the Windows Store. Everyone rejected the Windows Store, so developer adoption is close to zero (and now those incentives are gone too)
The bar to write secure desktop software is significantly higher than for browser extensions. Especially with all the Electron crap these days, you're one XSS away from full-blown RCE.
Absolutely, but the short and long terms risk posed to most by installing random browser extensions willy-nilly is still almost certainly higher than that of instead opting for vetted desktop apps, especially if using PWAs in place of Electron apps where possible (which I do).
I’m talking about community vetting. It’s usually easier to find discussions on the internet where people have discussed and scrutinized desktop apps (e.g. “this app phones home”) than it is to find the same for most browser extensions (which are often only heard about after having been turned into malware).
The tooling is often better there too, e.g. one can keep a short leash on app network activity with Little Snitch and similar but I’m not aware of an equivalent for browser extensions.
It's not the lack of a fine grained permissions model, it's the total lack of a real threat model and any consideration at all for what happens as extensions change over time.
>probably better to have that as a native browser feature
/Agree. It is crazy that I have to trust some unknown coder with all my browser data just to enable vertical tabs in Firefox.
Of course many of these extensions are open source and thus auditable. As I lack the skill to detect nefarious code, I am wondering if this might be a good use case for AI. Anyone have thoughts on building a good malware finding prompts?
This is a really great idea and use case. It also makes a ton of sense as a pilot use case for this type of open source project given extensions are smaller in scope.
I mean even having it document a best draft of what the extension code is doing would be awesome.
Unless it’s made into an extension and then you have a recursive hell.
I wish browser extensions had more fine-grained permissions but it's a tricky problem verifying if software is using permissions maliciously (see the Obfuscated C Code Contest and the Underhand C Contest) and how to communicate nuanced permissions to users (most users don't read and/or understand tech stuff, and can be easily mislead).
A tip in Chrome that I never see mentioned if you want to be extra safe when trying extensions:
- Go to Profiles > Add profile > Continue without account
- Install any extensions you feel like in this profile and they're completely isolated from the tabs logins, history, cookies and so on in your regular profile. Similarly, you can run Chrome Beta or Chrome Canary for installing extensions into, alongside regular Chrome.
E.g. you can install 10s of potentially risky web development extensions into this profile (they usually need a lot of access to do what they need to do), and keep them sandboxed away from the profile where you do your personal banking or login to work websites.
It's not practical for every extension, but I do this for my web development stuff and only use a couple of extensions for personal stuff.
I sell a browser extension where the permission I really want to ask for is "can only observe the network traffic it sends/receives in its own tabs" but I'm lumped with having to ask for the "read and write all your data" permission, but I make sure to share the above tip in the description (shameless plug: https://chromewebstore.google.com/detail/checkbot-seo-web-sp...).
Firefox user here, I wish Multi-Account Containers had a way to disable extensions per container. I don't need any on my banking site. Sure I could use separate Profile but UX hurts here.
Yeah, as you figured out, a separate profile is currently the only workaround. In case you aren't aware, there is an easy way to quickly launch it though in Firefox or Pale Moon - go to about:profiles and you can easily create / launch any profiles quickly in a new window.
I solved this problem by using Qubes OS. Different Firefox instances for different tasks run in dedicated VMs, with independent configs and extensions. It allowed to better organize my digital live and provided more security at the same time.
The "read and change all your data" permission is a huge hurdle for our shopping extension, especially since we only need to identify shopping pages. What I've tried to build trust is to open source our tracking analytics (e.g. https://github.com/Score-Extension/score-extension-analytics...).
Hopefully transparency is one way to overcome this trust barrier.
We have the same issue. We have a browser extension that wants to extract data from given web pages (retailers, like yours), but there is no API to declare "I want to look at the content of this page only if the URL matches this pattern" or "Let me have a look at the URL and I will tell you if I want to look at the page content". It's unfortunately "all the web" or nothing.
> I sell a browser extension where the permission I really want to ask for is "can only observe the network traffic it sends/receives in its own tabs" but I'm lumped with having to ask for the "read and write all your data" permission
Yeah it would be nice there were a way to limit the entire scope of an addon's permissions to a whitelist of domains. Chromium has a way of whitelisting domains an addon can run on[1] but I've assumed it doesn't affects the broader permissions you mention (general history, etc).
[1] Click 'Details' of the addon and switch the 'Allow this extension to read and change all your data on websites you visit' option to 'On specific sites' then add the sites to the whitelist.
> Yeah it would be nice there were a way to limit the entire scope of an addon's permissions to a whitelist of domains.
You can do this for the network read/write permissions, where the permission request dialog on install will tell you the URL patterns the extension wants access to.
I can't do this for my specific extension though. My extension checks web pages for problems like broken links, so it needs to be able to fetch any web page URL you give it and then it has to fetch any URLs that are linked to on the page, so I have to ask for access to http://\\\* and https://\\\* (I could maybe get away with just the `activeTab` permission to check the domain of the current tab if the checks were more limited though).
The extension is only doing operations like this within its own tab, when you have the extension open, and for it's own network requests, so it's frustrating there isn't a more granular permission I can ask for as I've isolated it as much as I could.
It's a tricky problem though. Browser makers will have certain kinds of extensions in mind, and optimise to make the permission system and permission request messages friendly for those kinds of extensions. Less standard extensions usually have to settle for broader permissions with less friendly permission descriptions, until hopefully the permission system gets iterated on based on how it's being used in the wild (Manifest V3 in Chrome for example).
> Browser extensions remind us what it’s like to have deep control over how we use our computers.
Uh. Linux users would like a word here.
But more generally, there's a significant component of this that seems isomorphous to the question I was trying to discuss in a post I wrote several years ago called "Is Open Source a diversion from what users really want?"
There seems to be much more excitement about ways to "hack" software that do not involve build systems than the complete, open-ended and (theoretically) unbounded access provided by FLOSS. It's not hard to see some obvious reasons why that would be true, but still a little disappointing.
I tried to discuss that here, specifically in the contrast between Reaper's provision of scripting-but-closed-source versus Ardour's scripting-but-open-source.
As a Linux user, I disagree. It's not quite the same. Yes, I could recompile my kernel if I wanted to. I can recompile most of userspace too. But it's a hassle, especially if you want to diverge from upstream, and maintain that divergence on a long-term basis.
You can do some fun hacks with LD_PRELOAD et al, but it's nowhere near the degree of flexibility and ease of access of browser extensions.
I am allowed to modify all the software as I see fit (and that's excellent), but the friction of actually doing so is (comparatively) high.
You raise an important issue around persistence of state.
The question isn't whether you need to recompile source, change config
files, download application plugins or set-up a bunch of check-boxes
in a nice GUI.
It's whether you can trust those settings to stick.
I've lost count of people telling me that phone settings I suggested
simply "reverted" or somehow turned themselves back on/off.
Even some Linux distros that use Snap alongside auto-updates etc are
really quite sneaky.
But to my mind web browsers (and I include all of them, Chrome,
Firefox or whatever) are utterly treacherous.
Any careful security stance requires constantly checking and
re-checking that policies are still in effect.
I feel gentoo reduces that hassle a fair amount since you can just toss the patches in and the distro pulls them in on updates. So long as you're not messing with APIs it's not too bad in terms of bitrot.
... I suppose you could do the same thing with debian too. You'd just need to maintain an overlay repo that rebuilds off the upstream deb sources for the packages you touched.
At that point you're pretty much doing the same thing distro's volunteer maintainer is doing. Take an upstream package, add tweaks, rebuild them automatically with tweaks on the next upstream release.
It's similar with NixOS, patching a package is just adding a few lines in a persistent (and generally short) config file. You "only" pay for that patch by having to update it for newer versions and by compile time.
The developer experience isn't as good as browser extensions yet, though. Iterating on a patch means downloading that package to a local directory and building it there, which won't be enough for, say, patches to system libraries. You have to actually apply the system configuration for that, which means recompiling.
I should maybe give Gentoo a second try. I last tried it on a dual-core thinkpad and it was a pretty miserable experience due to the long compile times. These days I have fast computers, and I hear Gentoo even started shipping binaries recently.
I have a huge amount of respect for the work distro maintainers do. It's not especially fun or glamorous work, and many are unaware that it even happens, but it's essential.
What has compiling the kernel to do with it, its about the fact that Linux let you control ever single aspect of your OS and tweak it to your liking. Its a pretty good example of what shows you how it is to control your PC, more so then browser extensions. Just look at what a pain in the ass it is to remove Edge from windows, even now the EU has mandated it, its still a 10+ step guide that requires some tool from Github ... and b4 that you could not even to that. Your start menu in win11 is polluted with "news" and Bing AI crap ... with no simple way to just disable it. If you use Linux you are in control and there are no annoyances and almost no proprietary code from the very start.
You have endless different Desktop Endorsements ... Linux offer way more control over the OS then any browser extensions do. Firefox killed the system where you could more modify the look of the Browser, I do not mind, but I am still making this point when we talk about feeling in control.
The shift of Linux to systemd was a very similar experience to the decline of browser extensions. Yes, you can change how your computer works. But unless you're willing to put a lot of effort into maintaining those changes, the APIs you use will be cut out from under you and it'll be harder and harder to make your computer do what you wanted rather than what someone else thought it should do.
Just my own experience, but I've actually had more fun and more success using systemd to do funny stuff with my PC than with sysvinit. Can't speak to the other init systems though.
I've just reached the learned helplessness point where it feels like it's not worth learning anything because it's going to change again by the time I use it. Right now I've got a service that starts every boot that I stop manually each time because I can't figure out how to disable it; even if older init was "worse", it was "just" a shell script so I could do stuff like commenting out lines without having to go into the details.
I think your response kind of misses the point. It's not that you can't do things with systemD, it's that your previous hacks suddenly no longer work. The same will be true for your system-d stuff once redhad decides that they want something else.
I built a chrome extension that is featured on the chrome web store[1] and the number of requests I get from shady data brokers looking to buy my extension and fill it with spyware is really concerning. A naive dev could build something cool and sell it off to someone thinking they'll maintain if for them but instead just cause a hazard for users. Google seems to do a decent job of reviewing the use of permissions but some extensions like mine really need access to everything on the page so I can only imagine what a data broker could do with it. Be careful what you install.
How far did you have to deviate from the demo extension to make this? I've written themes for vscode and intellij but never done an actual extension because it's js/ts and I don't really enjoy writing those.
I really wish they had a DSL for extensions to allow them to be more broadly written. Like, I feel like I have to basically learn js to learn to write a chrome extension and I'm a go/rust dev who will use it literally nowhere and I just want to make the AWS console not suck, for instance.
But I keep trying to will someone like me into existence to make this extension and nobody is appearing lmao.
This extension is pretty unlike most of the examples the chrome docs provide because it extends the devtools which most extensions don't do. There are a lot of hidden gotchas you have to look out for when extending devtools and the api they provide just isn't as well thought out. However I actually made the first version of this extension when I was just starting out learning html/css/js and I think it was good project for that. I wouldn't worry about making something presentable for the webstore at first. Just build whatever you need with really bare bones UI and iterate if you forsee it being useful for other people. Maybe even start with a greasemonkey script.
I think what we need the most is a "view source" for browser extensions installed from the store: make it easy to view the source and to extract the browser extension into a folder.
Make it easy to find out which web pages they access and which they modified.
Minimized/encrypted code in extensions should be forbidden. It should be very easy to read the code.
In chrome go to chrome://extensions, enable developer mode, and now you can view source for any extension in devtools. The content scripts are already available in the regular web page's devtools without enabling developer mode.
The total list of websites is available in the installation popup for the extension.
The chrome web store already bans code obfuscation. minification is allowed as there's no meaningful way to enforce the quality of variable names
It is very annoying to try and follow through minified code. I've tried to view the source and see what some extensions are doing but it can be a bit of a painful process. You can at least sometimes figure out what kind of GET/POST requests the extension may be making, but it's much more time consuming to try and ensure everything is safe.
The other problem is that the extensions can update. You typically get zero notification an extension was updated. Most extensions start off safe, but later get sold and used to farm data.
Formatting isn't the issue. Just more time consuming to try and read the code when it's all got garbage variable and function names. Not that you can't do it, just slightly more effort. Also the bigger issue I mentioned in my comment relates to the problem of extensions updating without any notice.
Is there any legitimate reason to minify code for extensions? The size gains are minimal since it's a one time thing. But I agree that it would be hard to enforce, though google "manages" to enforce even more ambiguous requirements on their play store haha. I guess they could make it a guideline or a requirement, and "good faith" devs would comply even if it would be hard to enforce.
It would be waay easier than e.g. deciding if a YT video is for kids.
You can immediately generate all the data by taking all unminified chrome extensions and minifying them, so you can validate your detection accuracy, then flag those that are minified on the store page, and provide some appeal option for devs just in case.
Come to think of it, it could be a chrome extension...
You can view the source of browser extensions hosted on the Chrome Web Store without installing them. I've occasionally used this tool for that purpose: https://robwu.nl/crxviewer/
This won't help against intentionally-obfuscated code but it should help with security & privacy research for most extensions.
> Today, it requires a big jump to go from using browser extensions to creating them: you need to learn a fair amount of web development to get started, and you can’t easily develop extensions in the browser itself. What if there were a quick way to get started developing and sharing extensions in the browser? You could imagine smoothly transitioning from editing a website in the developer tools to publishing a small extension.
They're not full extensions, but userscripts and user styles go a long way, and extensions exist that allow people to create/use them in the browser (eg. Tampermonkey[0] and Stylus[1].) I consider them incredibly important, even though they can't do as much as extensions.
Userscripts are underrated! I use them for all kinds of things, like fixing GitHub's useless landing page (taking me to my repositories instead), make the Mastodon "follow" button work (by hardcoding my instance's domain), block useless results from Google search results (stackshare and the like), redirect from the YouTube "short" view to the normal video video view, remove the stupid whitespace to the right of Gmail's scrollbar, etc.
I've used Tampermonkey for a couple of moderately complex things and it does work well... I didn't come across a particularly nice way to use an external editor or integrate it with a normal dev workflow though, I wonder if anyone has tricks to share?
I'm fairly satisfied with editing in VS Code, using a tsconfig.json with strict mode and checkJs turned on, then using JSDoc for typing. The ugly bit is the manual copy-paste into the Tampermonkey code area each time.
I tend to copy/paste into the console anyway during development, so having to copy/paste into Tampermonkey too doesn't slow me down too much. I suppose it would be nice to have a more integrated workflow though.
Yeah, I agree it's not slow as such - but I find it a bit distracting remembering to do it, and if I don't concentrate then I forget and then I risk confusing myself momentarily (not hard to do).
I don't use Tampermonkey (it's not FLOSS), but I'm pretty sure Violentmonkey autoreloads script files when that script was installed from a local file (maybe I had to enable it somewhere).
It looks like you're right, I may try that instead in future.
The userscripts I've made have been mostly for work and I immediately dismissed "Violentmonkey" as unsuitable because of the name, I'm not going to ask my clients or their (less technical) clients to install something that sounds quite nefarious. Unfortunate! ("Tampermonkey" is bad enough, but at least it's widely known.)
I program (not js/ts), use a massive number extensions and consider myself an absolute power user of them and refuse to ever use a browser WITHOUT the chrome/firefox extension ecosystem, I've written themes for Chrome and VScode, but I'm still here- (like pink/cyan? get on in! https://marketplace.visualstudio.com/items?itemName=mikejk8s...).
I have no idea via the Chrome prompts what extensions are able to do, read, see, access, etc. "Allowed to access data on all websites" - Is this literally all data? Like what I'm typing? Like does it know when I go URL to URL? it is just reading the assets? Is there a chrome API that limits their access that I can see? What do I actually need to worry about? I have a video zoomer that lets me zoom in on any video on any website, do I need to literally audit each extension myself and make sure it's not mirroring my data elsewhere or something?
I have no idea. How would a non technical user know any of this?
Like another user mentioned because of this I only trust a few key extensions(and like that user uBlock, Bitwarden, etc) with this sorta access.
I'd be very wary of those scrapy screen/session recording startups if for no other reason than they could be particularly vulnerable to supply chain attacks.
Not only is it theoretically as bad as it sounds, its as bad as it sounds in reality as well. Most of the top extensions get sold to ad companies and silently start sucking up all of your browsing data to sell on. Some of them start injecting their own adverts and tracker scripts on to pages, some of them are outright stealing your credentials.
And you realistically have no way to sort the good from the bad. Especially when the good silently get sold to the bad and automatically updated.
Yeah I always go to the source/project URL in the chrome store and IDEALLY it's a github repo with a bunch of contribs but I'm sure I've played loose with a few that had no other options.
I just had one big extension I use get bought by someone last week when it updated. I gotta dig through that now.. I used to hide that extension update popup screen but now I'm glad I didn't.
yes it’s that bad. i’ve written some webexts and if you ask for all data it really is all data... otherwise how would it work if you needed to change something on a page? i keep my list to my own bespoke one-off extensions or only the major big names or i audit the code manually.
Yep, I always think the 'all data' means there is no official api to do it, so I screw it and make my own from ground up.
Unfortunately browsers only make specific api for task that many people does. So there is always a portion of extensions need the 'all data' because there is no way otherwise.
Well that's a handy site you have there. Last time I fiddled with bookmarklets they didn't work on Firefox for Android, but now they do. This is going to be handy combining it with my Node-red instance.
An interesting one I made recently is related to a game published a couple of days ago here in HN called "infinite craft" https://neal.fun/infinite-craft/
The game does not have any save mechanism, so I made a bookmarklet that loads and autosaves to localStorage
const importState = (state) => {
const { discoveries, elements } = JSON.parse(state);
const gameInstance = window.$nuxt.$root.$children[2].$children[0].$children[0]._data;
gameInstance.discoveries = discoveries;
gameInstance.elements = elements;
};
/* Set up a MutationObserver to listen for changes in the DOM and automatically export the current state. */
const observer = new MutationObserver((mutations) => {
const state = exportState();
localStorage.setItem('gameState', state);
});
/* Start observing DOM changes to auto-save the game state. */
const startObserving = () => {
const targetNode = document.querySelector('.sidebar');
observer.observe(targetNode, { childList: true, subtree: true });
};
/* Check for a saved state in localStorage and import it if available. */
const savedState = localStorage.getItem('gameState');
if (savedState) importState(savedState);
else localStorage.setItem('gameState', exportState() );
startObserving();
They're much too big of a target now for spy- or malware. They have too much access to everything we do in a browser. And you can't just evaluate them once, they auto-update silently and you never know when they might be bought by a malicious actor.
I use a very limited set of extensions I trust like uBlock origin and Bitwarden. Also some developer extensions, but usually not on my main browser. Everything else is just not worth the risk for me.
Is there a way to use browser extensions safely?
Any extension that looks interesting needs access to everything I see on the screen (and even modify it), which to me seems a huge security risk. My understanding is that random extension is able to read and send somewhere almost all my data when I read my email, do online banking, etc.
Do I understand correctly the situation?
>My understanding is that random extension is able to read and send somewhere almost all my data when I read my email, do online banking, etc.
Depends on the permissions requested by the extension but often yes. The permission "Can read all data on any webpage" means exactly that.
> Is there a way to use browser extensions safely?
Yes. Depending on your paranoia /security standards. Here's what you can do ( ordered by importance.)
1. Use more than one browser (but stay away from proprietary or less popular browsers) and/or use multiple profiles (both firefox and chrome has them)
2. Have separate profiles for banking, personal email, work and general browsing. (Also good for productivity)
3. Banking profile should have no extensions.
4. Use only mozilla-vetted 'recommended' and 'security reviewed' extensions in firefox for less important accounts. Check the permissions carefully and see if they're sane. I don't use extensions in chrome at all since google web store does no vetting at all beyond automated scanning. It's the wild west out there.
5. You can be less careful with general browsing profiles as long as you don't log into important accounts. Use firefox containers (this is more for privacy though than security)
6. If some addon is tempting but not reviewed - i try to review the code (if its small and readable enough). after vetting, i disable auto-updates. A greasemonkey script that does equivalent functionality is often preferable since the code is usually smaller and readable. Disable auto-update there too. Otherwise resist the temptation to install too many addons.
Chrome has controls to not allow an extension free reign on all sites despite it asking for them. Allow only on specified sites. it's not a default for some reason, but if the extension doesn't have access then it can't do anything, bad or good.
Of course it doesn't help that it's a finance site that disables paste for which I need an extension to reenable, but at least I'm not letting the rest of my extensions get at my banking web session.
So the current options are
1. don't use extensions - this limits comfort and productivity, and the entire purpose of extensions
2. use extensions but lose security (are you feeling lucky today? what about tomorrow?)
This seems so dumb.
Is this the best solution from google/mozilla/etc?
I am thinking that an option to disable all extensions on a particular site/tab could solve many issues, maybe even with default on for well known email and bank providers.
This would encourage ppl to install more extensions because they don't care what happens when they just read reddit.
Not really, I don't think. I hear a lot of people saying that you can inspect the source if you follow steps X, Y, and Z, but that's not a one time thing. Each time the extension is updated you have to do a full audit. You can install it independently to avoid updates, but then you run the risk of things breaking or falling behind (such as adblocker lists). Happy to learn from more experienced people that I'm wrong on this, but that's my current expectation from decades of using browsers and extensions.
For me, an extension can only require so much hands on effort before that effort outweighs the rewards of the extension. Years ago I had the Vimium plugin and loved it, but the provided functionality isn't worth the necessary audits. Not wanting to have to trust that it never sells out or gets hacked, I got rid of it. These days I just use a small handful of extensions (ublock origin, noscript, vuejs devtools) that I feel comfortable trusting and that make a significant impact on my browsing experience. I can manage without the rest.
- An addon like vimium shouldn't need too many updates so auditing and disabling auto-updates might be worth it.
- Firefox has 'recommended' addons. In addition some of the more popular addons are security vetted (Their addon pages doesn't come with the scary "not reviewed" warning. These can be reasonably assumed to be safe.
- Also read my other reply to gp.
> These days I just use a small handful of extensions
Same here. Resisting fomo and temptations for new shiny is the hardest part but still worthwhile imo
It's possible to extract the extensions source, save it locally, and then manually install it. That insulates you from the risk of a malicious update.
(You could also audit the extension for complete safety, but TBH I'm usually too lazy to do that, and I assume that the risk of an extension currently being malicious is far lower than the risk of an extension later being updated to become malicious)
You're free to use only extensions which are open source. So you can build them yourself, and also spot check changes in the code whenever there's a new upstream release.
That'd help, but a problem is they could still go closed-source and you wouldn't know - the store itself has no concept of open or closed source so it's not like you could check an "uninstall if it goes closed source" box. Maybe there's room for a browser extension that hosts other browser extensions but with a much better security model than what Google allows.
I think that'd be a great idea, an "FDroid for extensions": A store that serves exactly the code in the repo. Sadly I don't think Chrome/Firefox allow building this as an extension itself.
You don’t have to use the store to install and update the extension. You monitor the upstream GitHub release feed, and build and install the extension yourself on every update.
I love the idea of browser extensions but they don’t appear to be worth the security/privacy risk for my use cases. I wonder how many others are like me and too paranoid to risk extensions at all?
Correct, none. I use Pihole for blocking. But the bigger point I think is that security conscious users are hesitant to employ extensions in general, even if some folks are ok with a couple select extensions they are still spooked by the general field.
DNS blocking has not been effective for probably close to a decade, with domain-fronting, L7 adware/spyware, fingerprinting and other trickery. Parent comment correctly characterized the lack of UBO as a net security/privacy loss.
I honestly can't imagine not using extensions. I'm 39 and have been on the web since Netscape etc in the early 90s and I honestly care more about the extensions than I do anything the browser actually does. Like, if there were no extensions I don't think I'd care at all if I used Firefox, Chrome, Opera, etc. But Chrome and Firefox have this massive, massive ecosystem of productitivy improving extensions.
I'll give an example since I'm tooting so loudly about this, my job entails a lot of R&D and distributing knowledge to other engineers in a concise manner. I use an app called hypothesis- https://web.hypothes.is/ which is very popular in research groups.
What it does is it lets me essentially annotate websites. So for instance I have an application with a front end UI, instead of writing readmes with no interaction to the front end UI I can actually annotate each page like a how-to, or a help doc. You go to that specific URL and get notified that there's a hypothesis doc on it to read.
When I used to work at a k8s distro company I used it to help teach people how to deploy clusters, etc.
Another one is Dark Reader that makes every single website dark mode.. Ublock I can't even remember a time of my life not using to block ads.. I do have null stuff via cloudflare dns as well but still use ublock everywhere since it's also a massive security improvement blocking chaotic javascript.
Hello. I used to use Dark Reader but then some it changed hands and a very questionable update appeared and freaked many people out, so I uninstalled. IIRC the changes were removed, or the additional code was not correctly activated, maybe both. Anyway, you may wish to check the status of that particular extension. I use some flag in config now to do approximately the same thing, it’s not as effective, but it’s close.
I’ve had a search around and cannot find a single thing about it.
This is quite strange to me as I was very upset to uninstall it, and distinctly recall reading about the security concerns on this very website. But, whatever it was, I must infer that it was a flash in the pan about nothing.
So this is another social network, on top of the web. Another walled garden.
From the terms of service:
> Our services evolve constantly. As such, the services may change from time to time, at our discretion. We may stop (permanently or temporarily) providing the services or any features within the services to you or to users generally. We also retain the right to create limits on use and storage at our sole discretion at any time. We may also remove or refuse to distribute any content on the services, suspend or terminate users, and reclaim usernames without liability to you.
Your paranoia is warranted. Like i replied in another thread up, there are a couple thing you can do. Use multiple browser/profiles. Keep a separate profile or two with no extensions for banking, shopping, email and other important stuff. You can be install a couple addons in your 'general browsing' profile. In general install only 'recommended' and security-reviewed addons with firefox.
What has always blown my mind is the lack of documentation/open source projects. With such powerful data we come across while browsing the web, it would only make sense to me there would be more tools to use an extend in this space. Browsing history is especially under valued. Even though the data technically exists, it is quite difficult to retrieve pages that have been visited, imo because of poor UX. Most people keep every Internet journey opened in hopes they will remember to return to it. I have been taking a stab at improving the UX with a history browser extension [1] which I have found myself legitimately finding value in using (a first for my personal projects lol).
More like overrated. An extension can't be better, can't offer more than what the host application allows. All these developers hang on by a thread. Compared to OS APIs, in-app APIs are more unstable. Goals, profit incentives affect a single application much harsher than how a wider ecosystem would react. It's good that they exist, but at most they are viewed as a necessary annoyance by their hosts. Chrome I won't even need to mention, but winds could turn anytime on something like VSCode as well.
Sure, Webkit and VSCode are both open source and forkable along with their extension support, but any later development would rot compatibility until, and if, a popular fork emerges.
He had the same point, where it feels like browser extensions are a big, somehow under-appreciated market. Browsers are huge platforms -- creating add-ons and making them more capable should be a popular, value-generating thing to do! But for a number of (developer) UX/UI issues, that just hasn't been the case. I hope this changes!
The web has become unusable without extensions like uBlock Origin, but extensions can contain malware.
I have moved over to only using extensions that have gone through Mozilla's manual code review necessary to become part of their "recommended extensions" program.
> Before an extension receives Recommended status, it undergoes rigorous technical review by staff security experts
It's possible that some here might confuse Web Extensions with Safari App Extensions. Safari App Extensions are not the same as Web Extensions. App extensions are written in native code (Objective C or Swift); they operate within Apple's sandbox; their data is saved within Apple's secure file system; and if they are sold via the Apple App Store, they are reviewed and approved by Apple. One never has absolute assurance that an app is proof against attack, but until I learn otherwise, I think Safari App Extensions are safe.
One benefit I would add is that cross platform support is great for browser extensions. Browsers already run on different OS's and devices. Browser API and extension API are fairly uniform among the major browsers. It's close to the cross platform support of general websites.
As an experiment I develop my latest browser extension on Firefox [1], Chrome, and Edge [2] at the same time to see how difficult it is to share the same code base. The difference is minuscule, like less than 0.01%. Chrome and Edge are essentially the same. Firefox is a bit behind in Manifest V3 support and needs a few lines Firefox specific API calls. The manifest files have a few differences. Overall, sharing the same code base is very feasible.
How do you "compile" the bookmarklets? I know of https://bookmarkl.ink/ but then we're back trusting some third-party service again. I get that it's not rocket science, but this is definitively a small hurdle to overcome.
Ah, I thought it didn't work to simply paste the javascript directly into the bookmark. Don't you have to minimally URI encode it? `javascript:URI_ENCODED_CODE`
The unfortunate part of web browser extensions is that, like the treadmill of web frameworks and app development, browsers can’t seem to stop changing and tweaking how extensions work and remove perfectly good functionality. So you end up sometimes having to rewrite an extension or its manifest with very little assistance from browser makers. But at least you don’t need to learn XUL any longer, so not all changes are bad ;-)
I made this extension fully using chatGPT to diagnose some layout issues. It’s super simple but chatGPT was definitely useful setting up the chrome boilerplate (and commenting what each option meant). Make sure you ask it to target the most recent version, they recently changed (to v3?) and it seems chatGPT prefers writing for the old version.
I've had some ideas for browser extensions over the years, most recently a few months ago. I remember looking at Mozilla docs for making a Firefox browser extension and, as a SWE w/10 YoE (mostly fullstack web), I was left confused. The documentation felt incomplete and I left the article with more questions than I had before.
I run a browser automation extension that only does actions on certain sites (clipping coupons for grocery store sites and credit card offers rewards). I created it this way specifically because I am terrified of extensions that want to read and write all sites. And you should be too.
I wish the chrome store gave badges to extensions like mine to make people more aware, give a filter when searching for new extensions, and to encourage least permissive development.
The chrome store extension rules are also unevenly enforced. Take a look at the source code for something like 1password. It is full of obfuscation and completely unintelligible which is against the store rules. I base64 encoded a single string that was my json dict in an otherwise completely readable js file and it went through on one publish but a few versions later was red flagged.
I love working with hackable software. I kind of attack it at the source level vs writing for the browser however. For example, say there’s some tool on a git repo. I will shamelessly clone it and build off of it to my own liking. Maybe I add another 1% to the code base, or maybe that repo becomes 1% of a codebase I write on my own. These are tools I could never share however, because of the rampant plagiarism I am doing, and the fact I don’t much care about getting it to run on different systems beyond my own. That being said fast and loose coding like this is a very powerful way to iterate on personal projects that never need to be anything but. I wish more things were actually hackable especially mobile or appliance hardware. Companies never like giving the power users the reigns for some reason.
Plagiarism? The vast majority of codebases I've seen on GitHub specifically allow you to do what you are doing. No need to make it sound like a bad thing.
Browser extensions, if we use the analogy as apps running within browser as an OS, are lacking simple capacities to manage the risks. Just like any app a user can install on their devices, extensions extend the attack surface. As we cannot avoid the risk by removing all of them, we can just allow users to have more control on them regardless of the browser they use. I suggested[0] using standard management APIs provided by browsers, therefore the ecosystem can use them as building blocks for FOSS and/or commercial tools. That's a very naïve idea but why not?
1) AI
AI is rapidly getting better at coding. Current AI is often bad at high-level architecture but is capable of making small local tweaks. Seems like a good fit for the kind of code you need to write a browser extension!
I'm exploring this direction; wrote more about it in "Malleable software in the age of LLMs" [1]
2) Security
Having talked to people who worked on various extension platforms including the browser extensions API, I see more clearly than I did five years ago that security is often the key bottleneck to deploying extension platforms meant for mass adoption. Anytime you want everyday computer users to be installing invasive extensions to important software from untrusted third parties, it's gonna be challenging to protect them.
That said, I still think that conversations around extensions tend to focus too much on security at the expense of all else. Customizability is important enough that it may be worth prioritizing it over security in some cases.
I also think there are many reasonable paths forward here. One is to exchange extensions with trusted parties -- e.g, coworkers or friends -- rather than installing from random people on the internet. Another might be to only build your own extensions; perhaps that'll become more viable with AI-assisted programming, although that introduces its own new security issues. And finally, I've met a few people who have smart ideas for architecting software in a way that helps resolve the core tensions; see [2] for an example.
3) Backend access as a key limitation
I've increasingly realized that the fact that browser extensions can only access client code in a fairly server-centric web means that many deep customizations are out of reach. Perhaps you can't read the data you want, or there's not a write API to do the thing you need.
While I'm optimistic about what extensions can do within the boundary of the client, this is an inherent limitation of the platform.
At Ink & Switch (the research lab I now work for), we're working towards local-first [3] software: collaborative software where the data and the code lives on your device. Among other benefits like privacy, we think this is the right foundation for more powerful extensions, since your data and the app code aren't locked away on a server.
[1] https://www.geoffreylitt.com/2023/03/25/llm-end-user-program...
[2] https://www.wildbuilt.world/p/inverting-three-key-relationsh...
[3] https://www.inkandswitch.com/local-first/