I program (not js/ts), use a massive number extensions and consider myself an absolute power user of them and refuse to ever use a browser WITHOUT the chrome/firefox extension ecosystem, I've written themes for Chrome and VScode, but I'm still here- (like pink/cyan? get on in! https://marketplace.visualstudio.com/items?itemName=mikejk8s...).
I have no idea via the Chrome prompts what extensions are able to do, read, see, access, etc. "Allowed to access data on all websites" - Is this literally all data? Like what I'm typing? Like does it know when I go URL to URL? it is just reading the assets? Is there a chrome API that limits their access that I can see? What do I actually need to worry about? I have a video zoomer that lets me zoom in on any video on any website, do I need to literally audit each extension myself and make sure it's not mirroring my data elsewhere or something?
I have no idea. How would a non technical user know any of this?
Like another user mentioned because of this I only trust a few key extensions(and like that user uBlock, Bitwarden, etc) with this sorta access.
I'd be very wary of those scrapy screen/session recording startups if for no other reason than they could be particularly vulnerable to supply chain attacks.
Not only is it theoretically as bad as it sounds, its as bad as it sounds in reality as well. Most of the top extensions get sold to ad companies and silently start sucking up all of your browsing data to sell on. Some of them start injecting their own adverts and tracker scripts on to pages, some of them are outright stealing your credentials.
And you realistically have no way to sort the good from the bad. Especially when the good silently get sold to the bad and automatically updated.
Yeah I always go to the source/project URL in the chrome store and IDEALLY it's a github repo with a bunch of contribs but I'm sure I've played loose with a few that had no other options.
I just had one big extension I use get bought by someone last week when it updated. I gotta dig through that now.. I used to hide that extension update popup screen but now I'm glad I didn't.
yes it’s that bad. i’ve written some webexts and if you ask for all data it really is all data... otherwise how would it work if you needed to change something on a page? i keep my list to my own bespoke one-off extensions or only the major big names or i audit the code manually.
Yep, I always think the 'all data' means there is no official api to do it, so I screw it and make my own from ground up.
Unfortunately browsers only make specific api for task that many people does. So there is always a portion of extensions need the 'all data' because there is no way otherwise.
I have no idea via the Chrome prompts what extensions are able to do, read, see, access, etc. "Allowed to access data on all websites" - Is this literally all data? Like what I'm typing? Like does it know when I go URL to URL? it is just reading the assets? Is there a chrome API that limits their access that I can see? What do I actually need to worry about? I have a video zoomer that lets me zoom in on any video on any website, do I need to literally audit each extension myself and make sure it's not mirroring my data elsewhere or something?
I have no idea. How would a non technical user know any of this?