[HN Gopher] Browser extensions are underrated: the promise of ha...
___________________________________________________________________
Browser extensions are underrated: the promise of hackable software
(2019)
Author : mufty
Score : 340 points
Date : 2024-02-04 15:43 UTC (7 hours ago)
(HTM) web link (www.geoffreylitt.com)
(TXT) w3m dump (www.geoffreylitt.com)
| cranberryturkey wrote:
| problem is you can't sell them.
| aloisdg wrote:
| is this really a problem? Being strictly open without
| monetization is a feature.
|
| You can still open a Liberapay if you want
| cranberryturkey wrote:
| open a what?
| sgift wrote:
| https://en.wikipedia.org/wiki/Liberapay - Platform for
| recurring donations/OSS funding.
| mettamage wrote:
| I use them for personal things
| seanwilson wrote:
| They're not highly visible, but there's quite a few paid
| extensions. Chrome used to have payments built into the Chrome
| Web Store before they deprecated it a few years ago
| (https://developer.chrome.com/docs/webstore/cws-payments-
| depr...).
|
| You've always been able to add your own payment system. I sell
| a freeium extension with payments going through Paddle (I
| guessed Google might deprecate their payment system so didn't
| risk it!). Gumroad and Lemon Squeezy are other examples you
| could use, where they both have simple license key checking web
| APIs.
| senkora wrote:
| Safari extensions are an exception here. They are distributed
| through the Mac OS App store, often as an optional part of a
| desktop App that can then be enabled within Safari.
| lapcat wrote:
| > problem is you can't sell them.
|
| I actually make a living selling browser extensions in the iOS
| and Mac App Store. Apple users are willing to pay.
|
| I used to sell my extension in the Chrome Web Store, until
| Google eliminated Chrome Web Store Payments (mentioned by
| another commenter). However, even with Google's payment system,
| my sales were extremely low; thus it wasn't worth my time to
| implement my own payment system in the Chrome Web Store.
|
| Apparently Firefox also used to have a payment system for add-
| ons but eliminated it.
|
| This is purely a choice by the browsers. Chrome and Firefox
| have chosen to demonetize extensions. Safari has chosen to
| monetize extensions.
| everybodyknows wrote:
| Needs [2019].
| Retr0id wrote:
| Does it? Has the browser extension landscape changed
| significantly since then?
| solardev wrote:
| Whatever happened to manifest v3?
| Retr0id wrote:
| mv3 is already referenced in the article (second link), but
| it's still not mandated yet.
| solardev wrote:
| Wow, I didn't realize that's been discussed since 2019.
| Talk about boiling a frog...
| sp0rk wrote:
| It's just a Hacker News convention to include the year in
| parentheses if the article isn't freshly published. It
| doesn't have anything to do with the content of the article
| itself.
| Retr0id wrote:
| Sure, but it's generally only done when that added context
| is important. I think this article could easily have been
| written yesterday.
| lapcat wrote:
| > Sure, but it's generally only done when that added
| context is important.
|
| No, it's almost always done, unless someone forgets.
|
| Currently in the top 3 pages of HN there are 12
| submissions with (20XY) at the end of the title. It's
| extremely common.
| dboreham wrote:
| No support on mobile devices is the big drawback.
| blibble wrote:
| seems to be a Chrome thing (gee I wonder why)
|
| safari and firefox support them
| temp0826 wrote:
| Firefox on iOS definitely does not support extensions.
| Switched to Orion and couldn't be happier.
| Retr0id wrote:
| Mobile Firefox supports extensions just fine.
| tecleandor wrote:
| That's getting better, for sure. The bad part: on mobile you
| don't have access to the whole API you have on desktop. For
| example, on mobile there's no access to your history. (I
| wanted to do an extension that cleaned older stuff from my
| history...)
| davidy123 wrote:
| You have to jump through extra hoops, at least. I was able to
| install my own custom, unpublished extension easily with
| Kiwi.
| rz2k wrote:
| On iOS/iPadOS Firefox and Chrome extensions seem to mostly work
| in the Orion browser.
| rekoil wrote:
| Lots of options on Android, and for iOS there's Orion.
| isodev wrote:
| Safari extensions work on iOS and iPadOS as well as the Mac.
| davidy123 wrote:
| On Android I use a two fisted approach; Chrome for things that
| require auth/payments, Kiwi for everything else. Kiwi is an
| open source fork of Chrome, and it allows extensions.
| Unfortunately it's not up to date to the latest (secure)
| Chrome, but I accept that because not having control over the
| browser is its own form of exploit.
| account-5 wrote:
| I quite like bookmarklets, easy to write. Tried a userscript but
| couldn't get into it. Never tried an extension, wouldn't know
| where to start.
| lstamour wrote:
| Start with ChatGPT or a sample extension.
|
| The unfortunate part of web browser extensions is that, like
| the treadmill of web frameworks and app development, browsers
| can't seem to stop changing and tweaking how extensions work
| and remove perfectly good functionality. So you end up
| sometimes having to rewrite an extension or its manifest with
| very little assistance from browser makers. But at least you
| don't need to learn XUL any longer, so not all changes are bad
| ;-)
| notzane wrote:
| I made this extension fully using chatGPT to diagnose some
| layout issues. It's super simple but chatGPT was definitely
| useful setting up the chrome boilerplate (and commenting what
| each option meant). Make sure you ask it to target the most
| recent version, they recently changed (to v3?) and it seems
| chatGPT prefers writing for the old version.
|
| https://github.com/notzane/red-box-outline
| ustad wrote:
| Check out Firefox examples on github, you'll like it, I've had
| great experience learning from them to add nifty features to my
| browser:
|
| https://github.com/mdn/webextensions-examples
| olejorgenb wrote:
| How do you "compile" the bookmarklets? I know of
| https://bookmarkl.ink/ but then we're back trusting some third-
| party service again. I get that it's not rocket science, but
| this is definitively a small hurdle to overcome.
| account-5 wrote:
| I don't compile them. I just write the JavaScript and wrap it
| in an anonymous function then save the code as a bookmark.
| PaulDavisThe1st wrote:
| > Browser extensions remind us what it's like to have deep
| control over how we use our computers.
|
| Uh. Linux users would like a word here.
|
| But more generally, there's a significant component of this that
| seems isomorphous to the question I was trying to discuss in a
| post I wrote several years ago called "Is Open Source a diversion
| from what users really want?"
|
| There seems to be much more excitement about ways to "hack"
| software that do not involve build systems than the complete,
| open-ended and (theoretically) unbounded access provided by
| FLOSS. It's not hard to see some obvious reasons why that would
| be true, but still a little disappointing.
|
| I tried to discuss that here, specifically in the contrast
| between Reaper's provision of scripting-but-closed-source versus
| Ardour's scripting-but-open-source.
|
| https://discourse.ardour.org/t/is-open-source-a-diversion-fr...
| Retr0id wrote:
| > Uh. Linux users would like a word here.
|
| As a Linux user, I disagree. It's not quite the same. Yes, I
| could recompile my kernel if I wanted to. I can recompile most
| of userspace too. But it's a hassle, especially if you want to
| diverge from upstream, and maintain that divergence on a long-
| term basis.
|
| You can do some fun hacks with LD_PRELOAD et al, but it's
| nowhere near the degree of flexibility and ease of access of
| browser extensions.
|
| I am _allowed_ to modify all the software as I see fit (and
| that 's excellent), but the friction of actually doing so is
| (comparatively) high.
| capitainenemo wrote:
| I feel gentoo reduces that hassle a fair amount since you can
| just toss the patches in and the distro pulls them in on
| updates. So long as you're not messing with APIs it's not too
| bad in terms of bitrot.
|
| ... I suppose you could do the same thing with debian too.
| You'd just need to maintain an overlay repo that rebuilds off
| the upstream deb sources for the packages you touched.
|
| At that point you're pretty much doing the same thing
| distro's volunteer maintainer is doing. Take an upstream
| package, add tweaks, rebuild them automatically with tweaks
| on the next upstream release.
| Retr0id wrote:
| I should maybe give Gentoo a second try. I last tried it on
| a dual-core thinkpad and it was a pretty miserable
| experience due to the long compile times. These days I have
| fast computers, and I hear Gentoo even started shipping
| binaries recently.
|
| I have a huge amount of respect for the work distro
| maintainers do. It's not especially fun or glamorous work,
| and many are unaware that it even happens, but it's
| essential.
| dvdkon wrote:
| It's similar with NixOS, patching a package is just adding
| a few lines in a persistent (and generally short) config
| file. You "only" pay for that patch by having to update it
| for newer versions and by compile time.
|
| The developer experience isn't as good as browser
| extensions yet, though. Iterating on a patch means
| downloading that package to a local directory and building
| it there, which won't be enough for, say, patches to system
| libraries. You have to actually apply the system
| configuration for that, which means recompiling.
| nonrandomstring wrote:
| You raise an important issue around persistence of state.
|
| The question isn't whether you need to recompile source,
| change config files, download application plugins or set-up a
| bunch of check-boxes in a nice GUI.
|
| It's whether you can trust those settings to stick.
|
| I've lost count of people telling me that phone settings I
| suggested simply "reverted" or somehow turned themselves back
| on/off.
|
| Even some Linux distros that use Snap alongside auto-updates
| etc are really quite sneaky.
|
| But to my mind web browsers (and I include all of them,
| Chrome, Firefox or whatever) are utterly treacherous.
|
| Any careful security stance requires constantly checking and
| re-checking that policies are still in effect.
| redder23 wrote:
| What has compiling the kernel to do with it, its about the
| fact that Linux let you control ever single aspect of your OS
| and tweak it to your liking. Its a pretty good example of
| what shows you how it is to control your PC, more so then
| browser extensions. Just look at what a pain in the ass it is
| to remove Edge from windows, even now the EU has mandated it,
| its still a 10+ step guide that requires some tool from
| Github ... and b4 that you could not even to that. Your start
| menu in win11 is polluted with "news" and Bing AI crap ...
| with no simple way to just disable it. If you use Linux you
| are in control and there are no annoyances and almost no
| proprietary code from the very start.
|
| You have endless different Desktop Endorsements ... Linux
| offer way more control over the OS then any browser
| extensions do. Firefox killed the system where you could more
| modify the look of the Browser, I do not mind, but I am still
| making this point when we talk about feeling in control.
|
| You make no sense.
| asadotzler wrote:
| Firefox is every bit as open source as Linux. You can
| control every aspect of it and tweak it to your liking and
| you are not limited to extensions.
| blibble wrote:
| it's very easy with debian to maintain small patches on top
| of packages
|
| and dpkg-buildpackage will do all the hard work for you
| yoav wrote:
| I think people see extensions as a way to bypass code signing,
| distribution, and brand building.
|
| So chrome (or whatever) becomes a platform for distributing and
| executing software.
| monkellipse wrote:
| I love the idea of browser extensions but they don't appear to be
| worth the security/privacy risk for my use cases. I wonder how
| many others are like me and too paranoid to risk extensions at
| all?
| extesy wrote:
| At all? Not even ublock origin? That would actually go against
| your stated goal of security/privacy.
| monkellipse wrote:
| Correct, none. I use Pihole for blocking. But the bigger
| point I think is that security conscious users are hesitant
| to employ extensions in general, even if some folks are ok
| with a couple select extensions they are still spooked by the
| general field.
| seagulls wrote:
| DNS blocking has not been effective for probably close to a
| decade, with domain-fronting, L7 adware/spyware,
| fingerprinting and other trickery. Parent comment correctly
| characterized the lack of UBO as a net security/privacy
| loss.
| Hackbraten wrote:
| I use only very few extensions. If they're open source, then
| instead of installing them from the browser's store, I maintain
| them as AUR packages. [1]
|
| That way I force myself to build them from source.
|
| My habit is also to inspect the changes between upstream
| releases. It's mostly spot checks, but it's better than
| nothing.
|
| [1]: https://aur.archlinux.org/packages?O=0&SeB=nd&K=firefox-
| exte...
| swozey wrote:
| I honestly can't imagine not using extensions. I'm 39 and have
| been on the web since Netscape etc in the early 90s and I
| honestly care more about the extensions than I do anything the
| browser actually does. Like, if there were no extensions I
| don't think I'd care at all if I used Firefox, Chrome, Opera,
| etc. But Chrome and Firefox have this massive, massive
| ecosystem of productitivy improving extensions.
|
| I'll give an example since I'm tooting so loudly about this, my
| job entails a lot of R&D and distributing knowledge to other
| engineers in a concise manner. I use an app called hypothesis-
| https://web.hypothes.is/ which is very popular in research
| groups.
|
| What it does is it lets me essentially annotate websites. So
| for instance I have an application with a front end UI, instead
| of writing readmes with no interaction to the front end UI I
| can actually annotate each page like a how-to, or a help doc.
| You go to that specific URL and get notified that there's a
| hypothesis doc on it to read.
|
| When I used to work at a k8s distro company I used it to help
| teach people how to deploy clusters, etc.
|
| Another one is Dark Reader that makes every single website dark
| mode.. Ublock I can't even remember a time of my life not using
| to block ads.. I do have null stuff via cloudflare dns as well
| but still use ublock everywhere since it's also a massive
| security improvement blocking chaotic javascript.
|
| It's amazing for training situations.
|
| https://web.hypothes.is/
| FormulatedEdits wrote:
| Hello. I used to use Dark Reader but then some it changed
| hands and a very questionable update appeared and freaked
| many people out, so I uninstalled. IIRC the changes were
| removed, or the additional code was not correctly activated,
| maybe both. Anyway, you may wish to check the status of that
| particular extension. I use some flag in config now to do
| approximately the same thing, it's not as effective, but it's
| close.
| mozball wrote:
| Your paranoia is warranted. Like i replied in another thread
| up, there are a couple thing you can do. Use multiple
| browser/profiles. Keep a separate profile or two with no
| extensions for banking, shopping, email and other important
| stuff. You can be install a couple addons in your 'general
| browsing' profile. In general install only 'recommended' and
| security-reviewed addons with firefox.
| seagulls wrote:
| There's a handful of trustworthy extensions like uBlock Origin,
| otherwise any with full DOM access are basically a browser
| rootkit.
| throwaway63467 wrote:
| Many popular browser extensions were bought up by data brokers
| that use them to exfiltrate browser history, so not sure if
| they're underrated, I think you have to be pretty careful as the
| extension security/privacy model is/was pretty awful. I e.g. know
| screenshotting extensions (Awesome Screenshot) that would vacuum
| up your browser history and send it to a data broker in Israel.
| So probably better to have that as a native browser feature.
| jwells89 wrote:
| Yes. Because of this and the lack of fine-grained permissions
| mentioned by a sibling comment, I tend to use desktop apps
| where I can instead of extensions, keeping my extensions list
| quite slim -- basically all I install are FOSS extensions by
| "big" known-good authors (e.g. Raymond Hill) or projects that
| aren't going to sell out.
|
| Of course risks exist with desktop apps too, but historically
| this kind of buy-and-exfiltrate scheme is comparatively rare
| with desktop apps, particularly on macOS where signed apps are
| sandboxed and can't do a whole lot without user permissions.
| seanwilson wrote:
| > I tend to use desktop apps where I can instead of
| extensions
|
| How locked down are desktop apps now on Mac, Windows and
| Linux? I haven't kept up. Do they still a lot of access by
| default to do malicious things with? I recently saw someone
| install the Adobe Acrobat desktop app and it installed its
| own extension inside of Chrome without asking. Games can have
| scary DRM as well.
|
| Chrome extensions can't read/write to arbitrary places on
| your hard disk without asking for example and you can isolate
| them within separate profiles. Not saying they're perfect but
| there is robust sandboxing of what they're allowed to do. I'm
| curious how this compares to an Electron-based desktop app
| i.e. which is running Chrome on the inside but with the
| standard restrictions Chrome places on tabs and extensions
| unlocked.
| jwells89 wrote:
| > How locked down are desktop apps now on Mac, Windows and
| Linux?
|
| It's hit or miss. There have been advancements on macOS and
| Linux where there are mobile-style permissions and
| sandboxing in some cases, but one needs to be aware of how
| apps are packaged to be able to leverage these
| advancements. Adobe stuff and Chrome on macOS for example
| have basically free reign still as they have specifically
| opted out of OS sandboxing, while a lot of small indie apps
| are sandboxed. Chrome I think can be put in a sandbox on
| Linux by way of Flatpak.
|
| Windows has done practically nothing and is the same as
| it's always been where desktop apps can do basically
| whatever they please, especially if given privileges with
| UAC (which seemingly every other Windows app needs for some
| reason).
| wongarsu wrote:
| Windows introduced better mobile-style permissions and
| sandboxing with the APPX format in Windows 8. However the
| only incentives to use it was the ability to build UWP
| apps and accessing the Windows Store. Everyone rejected
| the Windows Store, so developer adoption is close to zero
| (and now those incentives are gone too)
| lapcat wrote:
| > on macOS where signed apps are sandboxed and can't do a
| whole lot without user permissions
|
| Mac App Store apps are (mostly) sandboxed. Developer ID
| signed Mac apps distributed outside the App Store are mostly
| not sandboxed.
| foobiekr wrote:
| It's not the lack of a fine grained permissions model, it's
| the total lack of a real threat model and any consideration
| at all for what happens as extensions change over time.
| seagulls wrote:
| The bar to write secure desktop software is significantly
| higher than for browser extensions. Especially with all the
| Electron crap these days, you're one XSS away from full-blown
| RCE.
| jwells89 wrote:
| Absolutely, but the short and long terms risk posed to most
| by installing random browser extensions willy-nilly is
| still almost certainly higher than that of instead opting
| for vetted desktop apps, especially if using PWAs in place
| of Electron apps where possible (which I do).
| asadotzler wrote:
| Desktop apps are no more vetted than Firefox extensions.
| jwells89 wrote:
| I'm talking about community vetting. It's usually easier
| to find discussions on the internet where people have
| discussed and scrutinized desktop apps (e.g. "this app
| phones home") than it is to find the same for most
| browser extensions (which are often only heard about
| after having been turned into malware).
|
| The tooling is often better there too, e.g. one can keep
| a short leash on app network activity with Little Snitch
| and similar but I'm not aware of an equivalent for
| browser extensions.
| lapcat wrote:
| > Many popular browser extensions were bought up by data
| brokers that use them to exfiltrate browser history, so not
| sure if they're underrated
|
| I would say, as the developer of an upfront paid web browser
| extension, that upfront paid web browser extensions are
| underrated. ;-)
|
| It's a truism that if you're not the customer, you're the
| product. But what if you are the customer? I think a lot of the
| mistrust of browser extensions is due to the difficulty in
| monetizing extensions directly. If you're making nothing from
| an extension, and someone offers you a nice check to acquire
| the extension, it can be difficult to turn down that money,
| especially if the extension is a support burdern for the
| developer. Of course I have my price too, as almost everyone
| does, but at this point the price would have to be 7 figures
| (maybe 8??), which I don't think anyone would ever pay for my
| extension. My user base is relatively small, and thus doesn't
| provide a huge opportunity for data collection or other
| nefarious schemes, precisely because the extension is paid
| rather than free.
| jwells89 wrote:
| Something that'd help here is if extension galleries
| displayed price tags and let you filter by paid (bonus points
| for being able to distinguish between one-time and
| subscription).
| mnau wrote:
| I will leave this as a gallery of emails with offers to buy
| extension hoverzoom:
| https://github.com/extesy/hoverzoom/discussions/670
|
| Sidenote: The "collaboration" offers come from time to time
| even to non-extensions projects, if they are reasonably
| widely used. E.g. simple tools (rather widely used suite of
| android apps recently sold).
| lapcat wrote:
| "Your real profit per day will be $ 9000."
|
| LOL
| mnau wrote:
| I believe the profit number, even the number of lines > 8
| lines of code in the manifest of your extension.
|
| As long as they are lines [like ones used to collect card
| info](https://www.theregister.com/2018/09/11/british_airw
| ays_websi...) from British Airways (supply chain attack).
|
| For how many days will profit be collected is the
| question (plus the fun criminal investigation).
| Fnoord wrote:
| Yup, and he won't care about the criminal investigation
| because from other side of iron curtain v2. But if you're
| from the side where the nation isn't the cover for
| criminal enterprise you could get in trouble.
| Fnoord wrote:
| This is fantastic. Too bad they redacted the names. These
| scumbags deserve to be known. And the saddest part of the
| story is you don't know if is true or a cover-up. On the
| other hand it appears to be MIT. Are Google Chrome
| extensions reproducible?
| bbsz wrote:
| Out of curiosity, those Russian messages are in Russian
| because you are Russian or an eastern solicitor simply
| doesn't give a F?
| mnau wrote:
| What Russian messages?
| bbsz wrote:
| 06/07/2016 and 10/30/2017, and 11/22/2018, I think there
| may be one or two more but I am too lazy.
|
| cool idea to publish those. i remember when the pirate
| bay was publishing takedown notices in a special, public,
| category
| emodendroket wrote:
| > It's a truism that if you're not the customer, you're the
| product.
|
| Though, even if you are, paid products are often monetized in
| all the exact same ways. Why not.
| xmprt wrote:
| The only difference between a paid and unpaid piece of
| software is the revenue stream. In a paid software, your
| incentive to not screw over existing users is because your
| app would get poorer ratings and you won't acquire new
| paying customers. I've seen many times where a paid app
| stops growing as much and turns into a subscription model
| or becomes unpaid, giving paid users some small benefit (or
| nothing at all) and starts screwing over all users
| indiscriminately.
| wintermutestwin wrote:
| >probably better to have that as a native browser feature
|
| /Agree. It is crazy that I have to trust some unknown coder
| with all my browser data just to enable vertical tabs in
| Firefox.
|
| Of course many of these extensions are open source and thus
| auditable. As I lack the skill to detect nefarious code, I am
| wondering if this might be a good use case for AI. Anyone have
| thoughts on building a good malware finding prompts?
| seanwilson wrote:
| I wish browser extensions had more fine-grained permissions but
| it's a tricky problem verifying if software is using permissions
| maliciously (see the Obfuscated C Code Contest and the Underhand
| C Contest) and how to communicate nuanced permissions to users
| (most users don't read and/or understand tech stuff, and can be
| easily mislead).
|
| A tip in Chrome that I never see mentioned if you want to be
| extra safe when trying extensions:
|
| - Go to Profiles > Add profile > Continue without account
|
| - Install any extensions you feel like in this profile and
| they're completely isolated from the tabs logins, history,
| cookies and so on in your regular profile. Similarly, you can run
| Chrome Beta or Chrome Canary for installing extensions into,
| alongside regular Chrome.
|
| E.g. you can install 10s of potentially risky web development
| extensions into this profile (they usually need a lot of access
| to do what they need to do), and keep them sandboxed away from
| the profile where you do your personal banking or login to work
| websites.
|
| It's not practical for every extension, but I do this for my web
| development stuff and only use a couple of extensions for
| personal stuff.
|
| I sell a browser extension where the permission I really want to
| ask for is "can only observe the network traffic it
| sends/receives in its own tabs" but I'm lumped with having to ask
| for the "read and write all your data" permission, but I make
| sure to share the above tip in the description (shameless plug:
| https://chromewebstore.google.com/detail/checkbot-seo-web-sp...).
| imhoguy wrote:
| Firefox user here, I wish Multi-Account Containers had a way to
| disable extensions per container. I don't need any on my
| banking site. Sure I could use separate Profile but UX hurts
| here.
| SushiHippie wrote:
| Yep firefox profile UX is sadly not good. But I just bind
| different firefox profiles to different keybinds in my WM
| thisislife2 wrote:
| Yeah, as you figured out, a separate profile is currently the
| only workaround. In case you aren't aware, there is an easy
| way to quickly launch it though in Firefox or Pale Moon - go
| to _about:profiles_ and you can easily create / launch any
| profiles quickly in a new window.
| Terr_ wrote:
| It may be a little paranoid, but I use a separate local user
| account for those kinds of things.
|
| Perhaps not convenient, but it certainly helps keep me on
| task when I'm in official-paperwork mode. :p
| fsflover wrote:
| I solved this problem by using Qubes OS. Different Firefox
| instances for different tasks run in dedicated VMs, with
| independent configs and extensions. It allowed to better
| organize my digital live and provided more security at the
| same time.
| sidwyn wrote:
| The "read and change all your data" permission is a huge hurdle
| for our shopping extension, especially since we only need to
| identify shopping pages. What I've tried to build trust is to
| open source our tracking analytics (e.g.
| https://github.com/Score-Extension/score-extension-
| analytics...).
|
| Hopefully transparency is one way to overcome this trust
| barrier.
| Springtime wrote:
| _> I sell a browser extension where the permission I really
| want to ask for is "can only observe the network traffic it
| sends/receives in its own tabs" but I'm lumped with having to
| ask for the "read and write all your data" permission_
|
| Yeah it would be nice there were a way to limit the entire
| scope of an addon's permissions to a whitelist of domains.
| Chromium has a way of whitelisting domains an addon can run
| on[1] but I've assumed it doesn't affects the broader
| permissions you mention (general history, etc).
|
| [1] Click 'Details' of the addon and switch the 'Allow this
| extension to read and change all your data on websites you
| visit' option to 'On specific sites' then add the sites to the
| whitelist.
| seanwilson wrote:
| > Yeah it would be nice there were a way to limit the entire
| scope of an addon's permissions to a whitelist of domains.
|
| You can do this for the network read/write permissions, where
| the permission request dialog on install will tell you the
| URL patterns the extension wants access to.
|
| I can't do this for my specific extension though. My
| extension checks web pages for problems like broken links, so
| it needs to be able to fetch any web page URL you give it and
| then it has to fetch any URLs that are linked to on the page,
| so I have to ask for access to http://\\\\\* and
| https://\\\\\* (I could maybe get away with just the
| `activeTab` permission to check the domain of the current tab
| if the checks were more limited though).
|
| The extension is only doing operations like this within its
| own tab, when you have the extension open, and for it's own
| network requests, so it's frustrating there isn't a more
| granular permission I can ask for as I've isolated it as much
| as I could.
|
| It's a tricky problem though. Browser makers will have
| certain kinds of extensions in mind, and optimise to make the
| permission system and permission request messages friendly
| for those kinds of extensions. Less standard extensions
| usually have to settle for broader permissions with less
| friendly permission descriptions, until hopefully the
| permission system gets iterated on based on how it's being
| used in the wild (Manifest V3 in Chrome for example).
| justsomehnguy wrote:
| On Windows you can use apps packaged by portableapps.com. Needs
| AllowMultipleInstances=true in the .ini.
| silvestrov wrote:
| I think what we need the most is a "view source" for browser
| extensions installed from the store: make it easy to view the
| source and to extract the browser extension into a folder.
|
| Make it easy to find out which web pages they access and which
| they modified.
|
| Minimized/encrypted code in extensions should be forbidden. It
| should be very easy to read the code.
|
| E.g. this extensions says "records user activity", but what is
| that really:
| https://chromewebstore.google.com/detail/coffeelings/hcbddpp...
| a13o wrote:
| In chrome go to chrome://extensions, enable developer mode, and
| now you can view source for any extension in devtools. The
| content scripts are already available in the regular web page's
| devtools without enabling developer mode.
|
| The total list of websites is available in the installation
| popup for the extension.
|
| The chrome web store already bans code obfuscation.
| minification is allowed as there's no meaningful way to enforce
| the quality of variable names
| Fogest wrote:
| It is very annoying to try and follow through minified code.
| I've tried to view the source and see what some extensions
| are doing but it can be a bit of a painful process. You can
| at least sometimes figure out what kind of GET/POST requests
| the extension may be making, but it's much more time
| consuming to try and ensure everything is safe.
|
| The other problem is that the extensions can update. You
| typically get zero notification an extension was updated.
| Most extensions start off safe, but later get sold and used
| to farm data.
| redder23 wrote:
| There is a button to format the code for minified files.
| Fogest wrote:
| Formatting isn't the issue. Just more time consuming to
| try and read the code when it's all got garbage variable
| and function names. Not that you can't do it, just
| slightly more effort. Also the bigger issue I mentioned
| in my comment relates to the problem of extensions
| updating without any notice.
| Sephr wrote:
| You can view the source of browser extensions hosted on the
| Chrome Web Store without installing them. I've occasionally
| used this tool for that purpose: https://robwu.nl/crxviewer/
|
| This won't help against intentionally-obfuscated code but it
| should help with security & privacy research for most
| extensions.
| fabian2k wrote:
| They're much too big of a target now for spy- or malware. They
| have too much access to everything we do in a browser. And you
| can't just evaluate them once, they auto-update silently and you
| never know when they might be bought by a malicious actor.
|
| I use a very limited set of extensions I trust like uBlock origin
| and Bitwarden. Also some developer extensions, but usually not on
| my main browser. Everything else is just not worth the risk for
| me.
| empiricus wrote:
| Is there a way to use browser extensions safely? Any extension
| that looks interesting needs access to everything I see on the
| screen (and even modify it), which to me seems a huge security
| risk. My understanding is that random extension is able to read
| and send somewhere almost all my data when I read my email, do
| online banking, etc. Do I understand correctly the situation?
| Hackbraten wrote:
| You're free to use only extensions which are open source. So
| you can build them yourself, and also spot check changes in the
| code whenever there's a new upstream release.
| gsuuon wrote:
| That'd help, but a problem is they could still go closed-
| source and you wouldn't know - the store itself has no
| concept of open or closed source so it's not like you could
| check an "uninstall if it goes closed source" box. Maybe
| there's room for a browser extension that hosts other browser
| extensions but with a much better security model than what
| Google allows.
| dvdkon wrote:
| I think that'd be a great idea, an "FDroid for extensions":
| A store that serves exactly the code in the repo. Sadly I
| don't think Chrome/Firefox allow building this as an
| extension itself.
| Hackbraten wrote:
| You don't have to use the store to install and update the
| extension. You monitor the upstream GitHub release feed,
| and build and install the extension yourself on every
| update.
| senkora wrote:
| It's possible to extract the extensions source, save it
| locally, and then manually install it. That insulates you from
| the risk of a malicious update.
|
| (You could also audit the extension for complete safety, but
| TBH I'm usually too lazy to do that, and I assume that the risk
| of an extension currently being malicious is far lower than the
| risk of an extension later being updated to become malicious)
| seagulls wrote:
| > That insulates you from the risk of a malicious update.
|
| It also insulates you from critical security updates.
| Managing your own security is not without its risks.
| ysavir wrote:
| Not really, I don't think. I hear a lot of people saying that
| you can inspect the source if you follow steps X, Y, and Z, but
| that's not a one time thing. Each time the extension is updated
| you have to do a full audit. You can install it independently
| to avoid updates, but then you run the risk of things breaking
| or falling behind (such as adblocker lists). Happy to learn
| from more experienced people that I'm wrong on this, but that's
| my current expectation from decades of using browsers and
| extensions.
|
| For me, an extension can only require so much hands on effort
| before that effort outweighs the rewards of the extension.
| Years ago I had the Vimium plugin and loved it, but the
| provided functionality isn't worth the necessary audits. Not
| wanting to have to trust that it never sells out or gets
| hacked, I got rid of it. These days I just use a small handful
| of extensions (ublock origin, noscript, vuejs devtools) that I
| feel comfortable trusting and that make a significant impact on
| my browsing experience. I can manage without the rest.
| mozball wrote:
| - An addon like vimium shouldn't need too many updates so
| auditing and disabling auto-updates might be worth it.
|
| - Firefox has 'recommended' addons. In addition some of the
| more popular addons are security vetted (Their addon pages
| doesn't come with the scary "not reviewed" warning. These can
| be reasonably assumed to be safe.
|
| - Also read my other reply to gp.
|
| > These days I just use a small handful of extensions
|
| Same here. Resisting fomo and temptations for new shiny is
| the hardest part but still worthwhile imo
| mozball wrote:
| >My understanding is that random extension is able to read and
| send somewhere almost all my data when I read my email, do
| online banking, etc.
|
| Depends on the permissions requested by the extension but often
| yes. The permission "Can read all data on any webpage" means
| exactly that.
|
| > Is there a way to use browser extensions safely?
|
| Yes. Depending on your paranoia /security standards. Here's
| what you can do ( ordered by importance.)
|
| 1. Use more than one browser (but stay away from proprietary or
| less popular browsers) and/or use multiple profiles (both
| firefox and chrome has them)
|
| 2. Have separate profiles for banking, personal email, work and
| general browsing. (Also good for productivity)
|
| 3. Banking profile should have no extensions.
|
| 4. Use only mozilla-vetted 'recommended' and 'security
| reviewed' extensions in firefox for less important accounts.
| Check the permissions carefully and see if they're sane. I
| don't use extensions in chrome at all since google web store
| does no vetting at all beyond automated scanning. It's the wild
| west out there.
|
| 5. You can be less careful with general browsing profiles as
| long as you don't log into important accounts. Use firefox
| containers (this is more for privacy though than security)
|
| 6. If some addon is tempting but not reviewed - i try to review
| the code (if its small and readable enough). after vetting, i
| disable auto-updates. A greasemonkey script that does
| equivalent functionality is often preferable since the code is
| usually smaller and readable. Disable auto-update there too.
| Otherwise resist the temptation to install too many addons.
| fragmede wrote:
| Chrome has controls to not allow an extension free reign on
| all sites despite it asking for them. Allow only on specified
| sites. it's not a default for some reason, but if the
| extension doesn't have access then it can't do anything, bad
| or good.
|
| Of course it doesn't help that it's a finance site that
| disables paste for which I need an extension to reenable, but
| at least I'm not letting the rest of my extensions get at my
| banking web session.
| empiricus wrote:
| So the current options are 1. don't use extensions - this
| limits comfort and productivity, and the entire purpose of
| extensions 2. use extensions but lose security (are you
| feeling lucky today? what about tomorrow?)
|
| This seems so dumb. Is this the best solution from
| google/mozilla/etc? I am thinking that an option to disable
| all extensions on a particular site/tab could solve many
| issues, maybe even with default on for well known email and
| bank providers. This would encourage ppl to install more
| extensions because they don't care what happens when they
| just read reddit.
| Sophira wrote:
| > Today, it requires a big jump to go from using browser
| extensions to creating them: you need to learn a fair amount of
| web development to get started, and you can't easily develop
| extensions in the browser itself. What if there were a quick way
| to get started developing and sharing extensions in the browser?
| You could imagine smoothly transitioning from editing a website
| in the developer tools to publishing a small extension.
|
| They're not full extensions, but userscripts and user styles go a
| long way, and extensions exist that allow people to create/use
| them in the browser (eg. Tampermonkey[0] and Stylus[1].) I
| consider them incredibly important, even though they can't do as
| much as extensions.
|
| [0] https://www.tampermonkey.net/ [1]
| https://chrome.google.com/webstore/detail/stylus/clngdbkpkpe...
| remram wrote:
| Userscripts are underrated! I use them for all kinds of things,
| like fixing GitHub's useless landing page (taking me to my
| repositories instead), make the Mastodon "follow" button work
| (by hardcoding my instance's domain), block useless results
| from Google search results (stackshare and the like), redirect
| from the YouTube "short" view to the normal video video view,
| remove the stupid whitespace to the right of Gmail's scrollbar,
| etc.
| sanitycheck wrote:
| I've used Tampermonkey for a couple of moderately complex
| things and it does work well... I didn't come across a
| particularly nice way to use an external editor or integrate
| it with a normal dev workflow though, I wonder if anyone has
| tricks to share?
|
| I'm fairly satisfied with editing in VS Code, using a
| tsconfig.json with strict mode and checkJs turned on, then
| using JSDoc for typing. The ugly bit is the manual copy-paste
| into the Tampermonkey code area each time.
| dvdkon wrote:
| I don't use Tampermonkey (it's not FLOSS), but I'm pretty
| sure Violentmonkey autoreloads script files when that
| script was installed from a local file (maybe I had to
| enable it somewhere).
| remram wrote:
| I tend to copy/paste into the console anyway during
| development, so having to copy/paste into Tampermonkey too
| doesn't slow me down too much. I suppose it would be nice
| to have a more integrated workflow though.
| mcoliver wrote:
| I run a browser automation extension that only does actions on
| certain sites (clipping coupons for grocery store sites and
| credit card offers rewards). I created it this way specifically
| because I am terrified of extensions that want to read and write
| all sites. And you should be too.
|
| I wish the chrome store gave badges to extensions like mine to
| make people more aware, give a filter when searching for new
| extensions, and to encourage least permissive development.
|
| The chrome store extension rules are also unevenly enforced. Take
| a look at the source code for something like 1password. It is
| full of obfuscation and completely unintelligible which is
| against the store rules. I base64 encoded a single string that
| was my json dict in an otherwise completely readable js file and
| it went through on one publish but a few versions later was red
| flagged.
| jlawrence6809 wrote:
| I built a chrome extension that is featured on the chrome web
| store[1] and the number of requests I get from shady data brokers
| looking to buy my extension and fill it with spyware is really
| concerning. A naive dev could build something cool and sell it
| off to someone thinking they'll maintain if for them but instead
| just cause a hazard for users. Google seems to do a decent job of
| reviewing the use of permissions but some extensions like mine
| really need access to everything on the page so I can only
| imagine what a data broker could do with it. Be careful what you
| install.
|
| [1] https://chromewebstore.google.com/detail/css-selector-
| helper...
| swozey wrote:
| Cool extension. I love when devs open source stuff that makes
| their lives easier.
| jlawrence6809 wrote:
| Thanks! Here is the repo if you have any issues/suggestions:
| https://github.com/jlawrence6809/CSS-Selector-Helper-for-
| Chr...
| swozey wrote:
| How far did you have to deviate from the demo extension to
| make this? I've written themes for vscode and intellij but
| never done an actual extension because it's js/ts and I
| don't really enjoy writing those.
|
| I really wish they had a DSL for extensions to allow them
| to be more broadly written. Like, I feel like I have to
| basically learn js to learn to write a chrome extension and
| I'm a go/rust dev who will use it literally nowhere and I
| just want to make the AWS console not suck, for instance.
|
| But I keep trying to will someone like me into existence to
| make this extension and nobody is appearing lmao.
| jlawrence6809 wrote:
| This extension is pretty unlike most of the examples the
| chrome docs provide because it extends the devtools which
| most extensions don't do. There are a lot of hidden
| gotchas you have to look out for when extending devtools
| and the api they provide just isn't as well thought out.
| However I actually made the first version of this
| extension when I was just starting out learning
| html/css/js and I think it was good project for that. I
| wouldn't worry about making something presentable for the
| webstore at first. Just build whatever you need with
| really bare bones UI and iterate if you forsee it being
| useful for other people. Maybe even start with a
| greasemonkey script.
| zubairq wrote:
| I think that metamask is an example of a great add on that proves
| how great browser extensions are. Also, I think that the most
| popular browser extensions like metamask will eventually become
| built into every browser
| latchkey wrote:
| MM terrifies me as an extension. I run it in its own separate
| browser profile with no other extensions installed. My fear is
| actually that another extension can hijack MM.
| zubairq wrote:
| Yeah, I have wondered about that. Can browser extensions read
| or hijack data from other extensions? or are browser
| extensions sandboxed?
| latchkey wrote:
| It doesn't matter. Everything has security holes.
| swozey wrote:
| I program (not js/ts), use a massive number extensions and
| consider myself an absolute power user of them and refuse to ever
| use a browser WITHOUT the chrome/firefox extension ecosystem,
| I've written themes for Chrome and VScode, but I'm still here-
| (like pink/cyan? get on in!
| https://marketplace.visualstudio.com/items?itemName=mikejk8s...).
|
| I have _no_ idea via the Chrome prompts what extensions are able
| to do, read, see, access, etc. "Allowed to access data on all
| websites" - Is this literally all data? Like what I'm typing?
| Like does it know when I go URL to URL? it is just reading the
| assets? Is there a chrome API that limits their access that I can
| see? What do I actually need to worry about? I have a video
| zoomer that lets me zoom in on any video on any website, do I
| need to literally audit each extension myself and make sure it's
| not mirroring my data elsewhere or something?
|
| I have no idea. How would a non technical user know any of this?
| Rapzid wrote:
| I'm pretty sure it's as bad as it sounds haha.
|
| Like another user mentioned because of this I only trust a few
| key extensions(and like that user uBlock, Bitwarden, etc) with
| this sorta access.
|
| I'd be very wary of those scrapy screen/session recording
| startups if for no other reason than they could be particularly
| vulnerable to supply chain attacks.
| swozey wrote:
| Yeah I always go to the source/project URL in the chrome
| store and IDEALLY it's a github repo with a bunch of contribs
| but I'm sure I've played loose with a few that had no other
| options.
|
| I just had one big extension I use get bought by someone last
| week when it updated. I gotta dig through that now.. I used
| to hide that extension update popup screen but now I'm glad I
| didn't.
| weaksauce wrote:
| yes it's that bad. i've written some webexts and if you ask for
| all data it really is all data... otherwise how would it work
| if you needed to change something on a page? i keep my list to
| my own bespoke one-off extensions or only the major big names
| or i audit the code manually.
| mg wrote:
| I prefer bookmarklets because they
|
| - Are easy to edit
|
| - Are inactive until clicked
|
| - Work in all browsers
|
| - Work on mobile
|
| - Integrate nicely into the UI. I can move them around, put them
| into any bookmark folder, assign shortcuts.
|
| I wrote this bookmarlet editor which makes it easy to convert
| between clean code and a bookmarklet:
|
| https://www.gibney.org/bookmarklet_editor
| redder23 wrote:
| Talking about how bad Google is limiting ad blocker, then going
| ahead and saying "I use Chrome extensions" I am assuming that
| means in Chrome. Its your fault then. Move to Brave (has ad
| Blocker without limitations build in, you can use all Chrome
| extensions) or Firefox or whatever browser but if you continue to
| use Googles shit then you are helping them kill what makes
| extensions great. They do not even support extensions on mobiles,
| obviously with the excuse of performance but its so most people
| who are actually on mobile can't block ads and otherwise remove
| commercial toxicity from the web.
| gymbeaux wrote:
| I've had some ideas for browser extensions over the years, most
| recently a few months ago. I remember looking at Mozilla docs for
| making a Firefox browser extension and, as a SWE w/10 YoE (mostly
| fullstack web), I was left confused. The documentation felt
| incomplete and I left the article with more questions than I had
| before.
| sidwyn wrote:
| > Compatibility: Because extensions hook into websites in
| unsupported ways, updates to websites often result in extensions
| temporarily breaking, and extension authors scrambling to fix
| them.
|
| Has anyone who's built a browser extension solved this?
| mcoliver wrote:
| The best you can do is get an early warning by running your
| extension via an automation framework and getting alerts on
| errors then publishing a fix and waiting for approval from
| Google.
|
| Too many unknown unknowns. You're searching for an element to
| modify or take an action on based on the text
| content/class/id/aria-label/type? Someone changed apple to
| train. Or completely changes the element hierarchy. How would
| you predict or recognize that to modify your logic and be
| certain it works before publishing to your
| hundreds/thousands/millions of users?
| akkartik wrote:
| Just the framing of "browser extensions" is extremely problematic
| in the year 2024.
|
| Most browser extensions by weight are Google Chrome extensions.
| Google Chrome is unambiguously demonstrating that no API is safe
| in its quest to juice revenues. Anybody who builds extensions
| using Chrome's APIs should be very aware that they're quite
| possibly putting effort into something a juggernaut will stomp
| away without a second thought.
|
| I don't care to live in strategically lost situations like this,
| so I think the conversation should be about _Firefox_ extensions.
| Which also don 't have a great track record (the transition to
| Google Chrome compatibility a few short years ago still annoys me
| greatly), but are a qualitatively better counter-party to deal
| with.
| swozey wrote:
| Has Firefox fixed its syncing feature? You used to have to
| literally move a profile file around. I remember working in IT
| a long time ago and Firefox was an absolute nightmare to deal
| with corporately. But then, back then, we couldn't control
| Chrome extension installations..
| akkartik wrote:
| I'm only on Firefox because there's nothing better, but its
| sync at least has been pretty rock solid for me for several
| years now.
| mozman wrote:
| Sync was fixed as part of quantum.
| emodendroket wrote:
| > Most browser extensions by weight are Google Chrome
| extensions. Google Chrome is unambiguously demonstrating that
| no API is safe in its quest to juice revenues. Anybody who
| builds extensions using Chrome's APIs should be very aware that
| they're quite possibly putting effort into something a
| juggernaut will stomp away without a second thought.
|
| How unlike developing for literally any other environment.
| akkartik wrote:
| I don't know if you're being sarcastic. There's a spectrum
| between developing for Lua (juggernaut is super friendly),
| Python (juggernaut is mostly friendly, even if 2->3 caused a
| lot of casualties), Go (in spite of the corporate backer,
| quite careful about not stomping) and Chrome.
|
| Yes, there's always a counter-party. My point is it saves a
| lot of later grief to consider up front the counter-party
| you're entering into a relationship with. Their incentives
| and track record.
| moffkalast wrote:
| Quite right. Google and other commercial platforms may cut
| features or make breaking changes out of greed, while open
| source projects do it because they chase shiny things and
| can't be arsed to do legacy support. The end result is the
| same.
| Animats wrote:
| Most browser extensions seem to be used on Firefox, because
| Google is so hostile to ones on Chrome. With the decline of
| Firefox, the extension world has shrunk. I had something called
| "Ad Limiter" on both Firefox and Chrome for a decade. Identical
| code, even. Google sent me threatening messages last year, as
| they tightened the screws on ad blockers, and I dropped it for
| Chrome.
| akkartik wrote:
| That's a good point. Perhaps Firefox will benefit from an
| embrace/extinguish maneuver for once. Become compatible with
| Chrome extensions, then take over the space as Google
| retreats. This path too passes through no longer referring to
| "browser extensions".
| Animats wrote:
| Extensions were compatible for years until Google changed
| the manifest format and parts of the API.
| foobiekr wrote:
| Forget all that.
|
| 1. They increase the attack surface of the browser 2. They have
| routinely been transferred to (for money) or taken over by
| malicious entities 3. Often they subtly break things in ways
| that are fine for expert users but which result in support
| reach out by others
|
| The whole extension thing is a mess.
| syoc wrote:
| Replace browser with operating system or computer and expand
| extensions to user installable programs and it mostly still
| rings true. I believe users should be empowered to modify
| their installed applications as they see fit.
| Spivak wrote:
| It doesn't ring true for installed software anymore --
| "virus scanners" have gotten to the point where they just
| work for most people, desktop software is more difficult
| develop (for your average hacker wannabe), more difficult
| to get users to install, and has far less valuable data to
| go after.
|
| I actually very much like Apple's approach to browser
| extensions forcing them to be truly installed software and
| in the purview of tools that protect the rest of the
| system.
|
| The Chrome browser extension ecosystem is perfectly fine in
| theory but suffers from reinventing installed software
| without taking any of the lessons we've learned about OS
| software. Nice cautionary tale but the web is different.
| dvdkon wrote:
| On a typical PC, installed software has even more
| permissions than a browser extension, and all any malware
| author has to do is write their own keylogger or upload
| the browser cookie database. Sure, it's a little more
| effort, but I think the only real advantage that
| malicious browser extensions have over native programs is
| the discoverability and auto-update Google and Mozilla
| give them "for free".
| sunshowers wrote:
| Ultimately, as a society, we have to decide what is more
| important: the best of us or the worst of us.
| loktarogar wrote:
| Framing it like that makes it much more simplistic than
| reality. While there are some people you can clearly place
| into "best" or "worst", most people fit somewhere along a
| spectrum where their placement changes day to day. You ever
| had a bad day where you forgot to do something you would
| have done any other day?
|
| Do you want software that allows you to do anything on a
| good day but is potentially catastrophic on a bad day?
|
| The answer may still be yes, but regardless it's a more
| complicated a question than best vs worst.
| sunshowers wrote:
| That's fair, I was being more flippant than necessary. :)
| userbinator wrote:
| "Those who give up freedom for security deserve neither."
| CharlesW wrote:
| The real quote is more nuanced: "Those who would give up
| essential Liberty, to purchase a little temporary Safety,
| deserve neither Liberty nor Safety". It's a balance,
| obviously. I'm happy to have guardrails if they improve
| non-technical users' safety.
| wiseowise wrote:
| > I'm happy to have guardrails if they improve non-
| technical users' safety.
|
| Not at the expense of expert freedom.
| moolcool wrote:
| Small price to pay for adblock
| dev1ycan wrote:
| Actually hilarious that we have people here defending
| removing extensions, as if they didn't live through the days
| of Internet explorer. Well, maybe they didn't I hope they
| enjoy the eventual return of popups.
| Spivak wrote:
| They never left they're just called modals now.
| AJ007 wrote:
| Endless EU Cookie modals that you have to always click
| through because you clear cookies.
| wiseowise wrote:
| > Actually hilarious that we have people here defending
| removing extensions, as if they didn't live through the
| days of Internet explorer.
|
| I wouldn't be surprised if Gen Z didn't live through it.
| everdrive wrote:
| Forget all that.
|
| 1. They increase the attack surface of the operating system
| 2. They have routinely been transferred to (for money) or
| taken over by malicious entities 3. Often they subtly break
| things in ways that are fine for expert users but which
| result in support reach out by others
|
| The whole web browser thing is a mess.
| Pxtl wrote:
| Honestly as much as I love Firefox this is an underrated
| concern.
|
| Firefox allows their extensions to be far more powerful than
| Chrome's, but that power means they are also far more
| dangerous.
|
| If Firefox were to really take off (like it should, imho),
| are we really ready for a web full of people being attacked
| by the worst spyware ever?
|
| Chrome, for all its faults, has ruined their extension
| framework at least in part because they were trying to
| prevent this threat.
|
| How do we make this work? Endless notification spam from the
| plug-ins? Expensive certifications for each plug-in release?
| bee_rider wrote:
| I'd be really curious about in a system where browser
| extensions are limited to ~200 lines of code. No mechanism
| for distribution beyond typing text in. No concerns about
| permission. It would be interesting to see what people can
| do in an ecosystem where extensions can actually do
| anything but it is expected that people will actually read
| the code before running it.
| Pxtl wrote:
| My reaction would be simpler: Anything that's identified
| as risky? Show the user. Extension is making an HTTP
| request? Show the body in a toast. Extension is reading
| the keyboard? Same thing. Extension is looking at the
| page? Little icon in the corner showing the name of the
| extension and that it looked. Can't be turned off. So
| extensions can still do all that crazy stuff, but they're
| _noisy_ about it.
| bee_rider wrote:
| I don't really see this as simpler:
|
| 1) "identified as risky" seems like it could hide some
| significant complexity (and room for error).
|
| 2) An extension might need to read from the keyboard. I
| don't want to OK it every time. If I check once and then
| mark it as OK, I'd be worried that it could do something
| evil with that permission somehow, in a far-flung bit of
| the code.
| playingalong wrote:
| How to encourage code golfing in real world usages?
| 1vuio0pswjnm7 wrote:
| "I don't care to live in strategically lost situatios like
| this, so I think the conversation should be about Firefox
| extensions."
|
| Why would the conversation not be about editing the Firefox
| source code to add or remove "features" to meet one's personal
| needs.
|
| What is the point of "open source" if, to use the term from the
| submission title, the software is effectively un-"hackable".
|
| There is no small amount of "attack surface", and many unneeded
| "features", that could be removed from Firefox to someone's
| benefit, maybe it's only one user,^0 but but that will
| effectively never happen. Why. It is open source so anyone
| should be able to audit the code and change it to their liking.
|
| 0. To be clear, I am not commenting about "most users" or the
| majority of users or whatever. I am referring to the small
| class of users who are explicitly dissatisfied.
|
| In 1995, there were numerous non-commercial browsers. Netscape,
| the source of Mozilla, was one of the few attempting to
| commercialise.
|
| https://www.w3.org/Clients.html
|
| There is nothing wrong with having "all-in-one" programs. As
| long as other "not-all-in-one" programs also exist as
| alternatives.
|
| Arguably, the aim of the "all-in-one" program may be to obviate
| the existence of other programs, namely smaller, simpler ones.
|
| Those pushing gigantic web browsers might assume and argue,
| e.g., that it is inconvenient to have different programs for
| different tasks. This could be true. For some users. However it
| is also true that small programs can be made to work with each
| other. UNIX is the example. Over thirty years of continual
| growth. The companies behind the giant browsers probably could
| not survive without it. There is choice.
|
| Large "all-in-one" programs and small ones like UNIX utilities
| can co-exist. The two are not mutually exclusive.
|
| Personally, I prefer not to use a giant browser to make HTTP
| requests on the open internet. It is overkill and there is a
| profound lack of user control. (Hence "solutions" like
| "sandboxing", and an ever-incresing number of Band-Aids that
| serve only to add more needless complexity. The companies
| releasing these giant "all-in-one" programs are funded by
| advertising. Enough said.) For me the "modern" browser is more
| useful as an image viewer and media player.
|
| It is possible to "browse" the web without advertising,
| tracking or other annoyances, I do it every day,^1 but not with
| one of these giant advertising-supported "all-in-one" programs
| like the "modern" web browser. It is a losing battle to try. No
| amount of "extensions" can change the balance of power over
| those giant programs.
|
| Despite that these "browsers" are "open source", dissatisfied
| users who know how to program are not editing the source code
| to remove the bad bits. Instead they helplessly complain in
| forums like HN.
|
| 1. I am not a typical user. (Though I might be in 1995.) I
| prefer text over graphics. I like to read without distraction.
| Because text is easy for the user to manipulate, it seems to
| have a defense against advertising that is not available with
| graphics. For example, if text ads were inserted into response
| bodies, I can easily filter them out.
| akkartik wrote:
| Oh I agree _so_ much with you.
|
| https://akkartik.name/freewheeling
| mosselman wrote:
| I wanted to build an internal company extension, but for that
| (chrome) you still need to go through the review process with
| Google and it is even worse than Apple's App Store reviews.
| fritzo wrote:
| Would it be too much friction to host internally and require
| your users to "load unpacked"?
| julienreszka wrote:
| It's really not hard I doubt it's a big friction
| narag wrote:
| _Qui prodest_ is the question you must ask when you hear the
| usual points against, mostly security. It 's not that every
| person that dislike extensions or repeat the same arguments is
| paid by _" them"_, but it's a little shocking seeing so many
| negative opinions in a forum called _Hacker News_.
|
| This comment: https://news.ycombinator.com/item?id=39251996 by
| Retr0id hits the nail in the head. It's not that we cannot modify
| the software, but there are so many layers of inconvenience...
| what about modifying and recompiling the browsers themselves?
| They're so big now. The solution would be extensions. But no.
| Security.
| juxtapose wrote:
| The whole article reads like an ode to Emacs. :-)
| dividendpayee wrote:
| There was a good article from John Loeber a few months back about
| browser extensions: https://loeber.substack.com/p/9-15-years-of-
| market-gaps-for-...
|
| He had the same point, where it feels like browser extensions are
| a big, somehow under-appreciated market. Browsers are huge
| platforms -- creating add-ons and making them more capable should
| be a popular, value-generating thing to do! But for a number of
| (developer) UX/UI issues, that just hasn't been the case. I hope
| this changes!
| drakerossman wrote:
| A somewhat-shameless plug here, since I've released this just
| yesterday:
|
| Browser Extension for Hacker News written in Rust WASM:
|
| https://github.com/drakerossman/hackernews-userscript
|
| It has filtering capabilities (filter in title, link, text, or
| username via regex) and softhide (hide all the items on a page
| without pulling others from the next page).
| ulrischa wrote:
| And especially Bookmarklets are underrated. They can do many
| things where no extensions are necessary.
| prakhar897 wrote:
| Tangential: What tooling do you use to develop Extensions. I used
| React and couldn't find something any testing libraries which
| works on background and content scripts.
| quicon wrote:
| "Computing is still young, and platforms are changing quickly.
| Modern browser extensions and smartphone platforms have only been
| around for about a decade. These platforms will evolve, and there
| will be new platforms after them, and we will get to collectively
| decide how open they will be."
|
| I really like this final comment. As a non expert in computing, I
| also often think about how young is this field, and I fantasize
| about how it will evolve, hopefully towards a more accessible and
| open ecosistem.
| lxgr wrote:
| > we will get to collectively decide how open they will be.
|
| The author is way more optimistic than me here. I'd love if
| that were the case, but with the way the wind is blowing, I
| doubt that it'll be a collective decision between users and the
| big tech companies running today's computing platforms. If
| anything, it'll come through regulation.
|
| It's highly unlikely that e.g. iOS or Android will suddenly and
| out of their own initiative open up their APIs in a way that
| would allow building anything like "reading mode"/distraction
| removers, ad blockers, data extraction allowing mashups between
| different apps etc.
|
| Google's main customers aren't Android users, but app
| developers who run in-app ads and sell in-app purchases; the
| same is to a large extent also true for Apple (although DMA-
| like changes might shake up things a bit, and their reasoning
| for not introducing such apps will likely be security and
| platform integrity, not ads).
| ww520 wrote:
| One benefit I would add is that cross platform support is great
| for browser extensions. Browsers already run on different OS's
| and devices. Browser API and extension API are fairly uniform
| among the major browsers. It's close to the cross platform
| support of general websites.
|
| As an experiment I develop my latest browser extension on Firefox
| [1], Chrome, and Edge [2] at the same time to see how difficult
| it is to share the same code base. The difference is minuscule,
| like less than 0.01%. Chrome and Edge are essentially the same.
| Firefox is a bit behind in Manifest V3 support and needs a few
| lines Firefox specific API calls. The manifest files have a few
| differences. Overall, sharing the same code base is very
| feasible.
|
| [1] https://addons.mozilla.org/en-US/firefox/addon/one-page-
| favo...
|
| [2] https://microsoftedge.microsoft.com/addons/detail/one-
| page-f...
|
| Edit: You might ask where the Chrome version. Well, I had a heck
| of time to create a new Google account for deployment. Stay tune.
| gklitt wrote:
| Post author here! I wrote this post five years ago. Since then,
| my conviction in the value of customizable software has only
| grown, but I've also updated my thinking in a few ways:
|
| 1) AI
|
| AI is rapidly getting better at coding. Current AI is often bad
| at high-level architecture but is capable of making small local
| tweaks. Seems like a good fit for the kind of code you need to
| write a browser extension!
|
| I'm exploring this direction; wrote more about it in "Malleable
| software in the age of LLMs" [1]
|
| 2) Security
|
| Having talked to people who worked on various extension platforms
| including the browser extensions API, I see more clearly than I
| did five years ago that security is often the key bottleneck to
| deploying extension platforms meant for mass adoption. Anytime
| you want everyday computer users to be installing invasive
| extensions to important software from untrusted third parties,
| it's gonna be challenging to protect them.
|
| That said, I still think that conversations around extensions
| tend to focus too much on security at the expense of all else.
| Customizability is important enough that it may be worth
| prioritizing it over security in some cases.
|
| I also think there are many reasonable paths forward here. One is
| to exchange extensions with trusted parties -- e.g, coworkers or
| friends -- rather than installing from random people on the
| internet. Another might be to only build your own extensions;
| perhaps that'll become more viable with AI-assisted programming,
| although that introduces its own new security issues. And
| finally, I've met a few people who have smart ideas for
| architecting software in a way that helps resolve the core
| tensions; see [2] for an example.
|
| 3) Backend access as a key limitation
|
| I've increasingly realized that the fact that browser extensions
| can only access client code in a fairly server-centric web means
| that many deep customizations are out of reach. Perhaps you can't
| read the data you want, or there's not a write API to do the
| thing you need.
|
| While I'm optimistic about what extensions can do within the
| boundary of the client, this is an inherent limitation of the
| platform.
|
| At Ink & Switch (the research lab I now work for), we're working
| towards local-first [3] software: collaborative software where
| the data and the code lives on your device. Among other benefits
| like privacy, we think this is the right foundation for more
| powerful extensions, since your data and the app code aren't
| locked away on a server.
|
| [1] https://www.geoffreylitt.com/2023/03/25/llm-end-user-
| program...
|
| [2] https://www.wildbuilt.world/p/inverting-three-key-
| relationsh...
|
| [3] https://www.inkandswitch.com/local-first/
| samwillis wrote:
| I'm so excited about the malleable software / local-first /
| local-AI crossover, I feel like we are at the dawn of a new era
| of software. If we play our cards right, we can bring back
| control of our data from the large corporations, have
| ownership, and more control of how we work.
|
| I'm particularly interested in how general purpose CRDT
| toolkits like Automerge and Yjs could become the backing
| filetype for local-first software with interoperable
| sync/collaboration backends. The user can then have direct
| access to the underlaying data via standard tooling. Files can
| be linked, embedded within each other, forked and merged.
|
| We could have a new hypermedia platform built on this, where
| all documents are possible to be shared, forked, edited in
| realtime...
|
| Basically, love what you are all doing at Ink and Switch,
| excited to see what you publish next.
| dustingetz wrote:
| taking back control from evil corporations is a
| funding/finance problem, not a technology problem. Everyone
| dreams of democratized ownership until they have to pay the
| huge developer salaries. and the go to market costs are even
| higher than that, all channels are saturated and you have to
| be louder than the noise.
| exe34 wrote:
| Executing untrusted code would be a lot safer if browsers and
| mobile OSes would make it easy to provide fake resources to the
| app/extension.
|
| Yes, you may read my phone contents, and as far as you know,
| it's the contents, the whole contents and nothing but the
| contents - it just happens to be a folder to me. An empty
| folder. It's a new phone you see.
|
| Yes here's my contact list. Sorry it's mostly empty, there's
| just the costly premium number in there. I hope your mothership
| doesn't try to call it.
|
| Yes, here's my microphone. Oh thank you, yes, I do a good
| impression of Rick Astley.
|
| Pictures on my phone? Oh yes, right this way. It's all pictures
| of turnips. Do you like them?
| nottorp wrote:
| There is already a permission system?
| gleenn wrote:
| The issue the parent is trying to solve is you don't really
| have fine grained enough control, or apps nag you and won't
| load until you give them everything they want. My mom has a
| cheap camera security app that allows me to see the live
| streams from remote. Every single time I open the app it
| asks me again if I want to allow it access to my local
| network. The answer is a resounding "no". If I could just
| say "fake yes, here is my fake network", then I wouldn't be
| continually coerced into giving permissions to something I
| really don't want to share. I can think of many similar
| examples, another really common one is giving apps access
| to my contacts. Absolutely not, stop asking me, here is
| "Uncle Bob" with phone number 1-222-222-2222. Leave me
| alone
| nottorp wrote:
| Are you sure browser extensions improve the web apps?
|
| Maybe they attempt to fix them because they're limited by the
| platform and mostly low quality software?
| jameshart wrote:
| The security problem of open platforms is the key.
|
| Anything that is open enough to let someone who knows what
| they're doing customize the system to their liking, will also
| be abused by bad actors persuading people who don't know what
| they are doing to customize the system in ways that harm them.
|
| The fact I can write my own custom keyboards on Android is
| great! But the fact someone can convince your grandparents to
| install a keyboard that includes an embedded key logger is not!
|
| Browser extensions have always been a malware-rich ecosystem.
| Joking about removing all the toolbars from your parents'
| Internet Explorer whenever you went home for thanksgiving dates
| back to about 1999.
| conradev wrote:
| A great XKCD on the topic: https://xkcd.com/2044/
|
| I do think that with every turn of that cycle we end up with
| better compromises. They'll still be compromises, though.
| feldrim wrote:
| Browser extensions, if we use the analogy as apps running within
| browser as an OS, are lacking simple capacities to manage the
| risks. Just like any app a user can install on their devices,
| extensions extend the attack surface. As we cannot avoid the risk
| by removing all of them, we can just allow users to have more
| control on them regardless of the browser they use. I
| suggested[0] using standard management APIs provided by browsers,
| therefore the ecosystem can use them as building blocks for FOSS
| and/or commercial tools. That's a very naive idea but why not?
|
| 0. https://zaferbalkan.com/2023/10/03/browser-extension-
| api.htm...
| bmacho wrote:
| Browser extensions are bad.
|
| Don't create them.
|
| Don't use them.
|
| Use Tampermonkey/userscript instead.
| breadchris wrote:
| What has always blown my mind is the lack of documentation/open
| source projects. With such powerful data we come across while
| browsing the web, it would only make sense to me there would be
| more tools to use an extend in this space. Browsing history is
| especially under valued. Even though the data technically exists,
| it is quite difficult to retrieve pages that have been visited,
| imo because of poor UX. Most people keep every Internet journey
| opened in hopes they will remember to return to it. I have been
| taking a stab at improving the UX with a history browser
| extension [1] which I have found myself legitimately finding
| value in using (a first for my personal projects lol).
|
| [1] https://github.com/lunabrain-
| ai/lunabrain/tree/main/js/exten...
| poisonborz wrote:
| More like overrated. An extension can't be better, can't offer
| more than what the host application allows. All these developers
| hang on by a thread. Compared to OS APIs, in-app APIs are more
| unstable. Goals, profit incentives affect a single application
| much harsher than how a wider ecosystem would react. It's good
| that they exist, but at most they are viewed as a necessary
| annoyance by their hosts. Chrome I won't even need to mention,
| but winds could turn anytime on something like VSCode as well.
|
| Sure, Webkit and VSCode are both open source and forkable along
| with their extension support, but any later development would rot
| compatibility until, and if, a popular fork emerges.
| GeekyBear wrote:
| The web has become unusable without extensions like uBlock
| Origin, but extensions can contain malware.
|
| I have moved over to only using extensions that have gone through
| Mozilla's manual code review necessary to become part of their
| "recommended extensions" program.
|
| > Before an extension receives Recommended status, it undergoes
| rigorous technical review by staff security experts
|
| https://support.mozilla.org/en-US/kb/recommended-extensions-...
| quickthrower2 wrote:
| I love browser extensions both as a user and as a hacker.
|
| The elephant in the room is browser extensions are not a web
| standard and Google or Firefox can make a breaking change to you
| at any time "for security". Also Chrome can boot you out of the
| store or ask for 100 point ID check in the future.
|
| Extensions are great but a web standard for them would be even
| better.
| lapcat wrote:
| They're working on that:
| https://www.w3.org/community/webextensions/
| kjkjadksj wrote:
| I love working with hackable software. I kind of attack it at the
| source level vs writing for the browser however. For example, say
| there's some tool on a git repo. I will shamelessly clone it and
| build off of it to my own liking. Maybe I add another 1% to the
| code base, or maybe that repo becomes 1% of a codebase I write on
| my own. These are tools I could never share however, because of
| the rampant plagiarism I am doing, and the fact I don't much care
| about getting it to run on different systems beyond my own. That
| being said fast and loose coding like this is a very powerful way
| to iterate on personal projects that never need to be anything
| but. I wish more things were actually hackable especially mobile
| or appliance hardware. Companies never like giving the power
| users the reigns for some reason.
| dang wrote:
| Discussed at the time:
|
| _Browser extensions are underrated: the promise of hackable
| software_ - https://news.ycombinator.com/item?id=20556382 - July
| 2019 (186 comments)
| sn0n wrote:
| Meanwhile beaker has become archived and "lives on in" bluesky
| and solid is vaporware afaict... Ouch.
| cc101 wrote:
| It's possible that some here might confuse Web Extensions with
| Safari App Extensions. Safari App Extensions are not the same as
| Web Extensions. App extensions are written in native code
| (Objective C or Swift); they operate within Apple's sandbox;
| their data is saved within Apple's secure file system; and if
| they are sold via the Apple App Store, they are reviewed and
| approved by Apple. One never has absolute assurance that an app
| is proof against attack, but until I learn otherwise, I think
| Safari App Extensions are safe.
___________________________________________________________________
(page generated 2024-02-04 23:00 UTC)