I agree. When an app uses GPS on my phone, I'm informed of that: a notification permanently displays in the top bar until it is no longer being used. Same with the camera and mic. If my clipboard is copied, I get a notification as well informing me of that and telling me which app did it.
I'm not sure why a similar system doesn't exist for browser extensions. Furthermore, there are limits to what features you can and cannot disable for Chrome extensions, and as far as I'm aware there are no logs of what actions they took.
I had an extension that randomly redirected me to scam URLs while doing completely innocuous things such as visiting the homepage for Gmail, YouTube, or performing a Google search (after pressing enter for the initial query, before clicking on any URL.) I had 15 extensions, and the redirects were infrequent enough that disabling extensions one by one wouldn't help much: it could potentially take months to track it down, and there's no way of disabling the permission to redirect to different URLs. I searched the minified source code for all of the extensions that I had, but none of them had the URLs I was redirected to. My guess is that they pulled data from a server and then redirected me to whatever malicious URL it pulled at that time. I also checked network traffic in the Chrome Task Manager to see if there was an extension sending data for unknown reasons, but again, nothing, so it likely periodically pulls a URL to redirect me to from some server, redirects me, and then sleeps for a few days. Short of un-minifying all 15 extensions and trying to understand the purpose of every redirect, many of which would be legitimate, I'm not sure what can be done.
In the end, I removed every last extension aside from my password manager and uBlock Origin (which fixed the issue — over one month later I've never been redirected to a scam URL.) Many of the extensions I used were open source, but I don't think any hash system exists to verify the minified code matches the source files for Chrome extensions (maybe I could do that manually, but I don't want to do that every time there's an update for any of the 15 extensions I had.)
It's unfortunate, as many of the extensions I used improved my productivity and helped me focus better and be distracted less. But as it is currently, the browser extension ecosystem simply isn't safe.
From what I've heard, Firefox's review process is better in some ways than Chrome's, but their extensions can have even more control of your browser.
I don't think it's impossible to design an extension system that is secure: extensions just need to have the ability to be granted extremely limited permissions, and any permission beyond what is reasonable should be denied in the review process for putting it on the Chrome or Firefox extension stores. Most of my extensions shouldn't have even needed Internet access (if they can execute JavaScript, they'd still be able to redirect me to a scam URL, but if it couldn't have pulled a URL from an external server, then the URL would need to be in the minified JS, so I'd have been able to catch it.)
I'm not sure why a similar system doesn't exist for browser extensions. Furthermore, there are limits to what features you can and cannot disable for Chrome extensions, and as far as I'm aware there are no logs of what actions they took.
I had an extension that randomly redirected me to scam URLs while doing completely innocuous things such as visiting the homepage for Gmail, YouTube, or performing a Google search (after pressing enter for the initial query, before clicking on any URL.) I had 15 extensions, and the redirects were infrequent enough that disabling extensions one by one wouldn't help much: it could potentially take months to track it down, and there's no way of disabling the permission to redirect to different URLs. I searched the minified source code for all of the extensions that I had, but none of them had the URLs I was redirected to. My guess is that they pulled data from a server and then redirected me to whatever malicious URL it pulled at that time. I also checked network traffic in the Chrome Task Manager to see if there was an extension sending data for unknown reasons, but again, nothing, so it likely periodically pulls a URL to redirect me to from some server, redirects me, and then sleeps for a few days. Short of un-minifying all 15 extensions and trying to understand the purpose of every redirect, many of which would be legitimate, I'm not sure what can be done.
In the end, I removed every last extension aside from my password manager and uBlock Origin (which fixed the issue — over one month later I've never been redirected to a scam URL.) Many of the extensions I used were open source, but I don't think any hash system exists to verify the minified code matches the source files for Chrome extensions (maybe I could do that manually, but I don't want to do that every time there's an update for any of the 15 extensions I had.)
It's unfortunate, as many of the extensions I used improved my productivity and helped me focus better and be distracted less. But as it is currently, the browser extension ecosystem simply isn't safe.
From what I've heard, Firefox's review process is better in some ways than Chrome's, but their extensions can have even more control of your browser.
I don't think it's impossible to design an extension system that is secure: extensions just need to have the ability to be granted extremely limited permissions, and any permission beyond what is reasonable should be denied in the review process for putting it on the Chrome or Firefox extension stores. Most of my extensions shouldn't have even needed Internet access (if they can execute JavaScript, they'd still be able to redirect me to a scam URL, but if it couldn't have pulled a URL from an external server, then the URL would need to be in the minified JS, so I'd have been able to catch it.)