> In order to provide the smoothest experience as possible, the extension needs to know when you change active tabs. In order for the extension to know about that event, it needs the tabs permission, which Chrome describes as "can read and change all your data on websites you visit." That description is very scary, and is certainly not what this extension is doing. Being an open-sourced project, you can always read all the code to see how this extension works, and what it's [not] doing with your data.
The problem is that even if I read the code, or more likely chose to trust that someone has, it's not guaranteed to remain true for future updates. The author's scruples may weaken with time, or they might sell the extension, etc. (I think Chrome's extensions auto-update, but even if they didn't I'd still have to remember that this extension is one that I can't assume it's safe to update.)
The thing is there is no alternative way to do this. I have written some extensions my self and often you cant do anything without having full read and write access to every page.
For example I have an extension that lets you right click an image and rotate it by -90/+90/180 degrees. All I want is for the browser to hit me up when there is a `<img>` tag, but that is not an option. Either I have to white list every page separately in the code or ask the user to white list every single page or just ask for full read and write permissions for every single web page the user visits.
As someone working on an extension right now, I can definitely say that you only need the “ActiveTab” permission. With this, the extension only becomes active (and can interact with the page) when the user right-clicks an image and selects the action from the extension.
I have an extension to replace the "backspace for back" keybind they intentionally broke after 30 or how many years and of course it needs access to everything everywhere, because apparently they can't envision extension functionality that isn't "inject JavaScript".
On Firefox this is an option in about:config, no need for an extension. I’m on mobile rn so I don’t have an reference to the specific key, but it’s something like “enhanced backspace”
> The thing is there is no alternative way to do this.
Maybe. But this is not clear at all from the given explanation:
> In order to provide the smoothest experience as possible, the extension needs to know when you change active tabs.
The "smoothest experience"... This is corporate wooden language, and sounds disrespectful towards the users. Why does the extension need, precisely, to deal with tabs at all? A smooth experience would allow the users the choice to disable this permission while still working correctly on a single tab (as the previous version did). If this is not clearly explained upfront, it sounds like bullshit, even if it isn't.
Maybe there is no alternative way to do this. But certainly there is an better way to explain this.
This is a bit cynical isn't it, when the author is clearly being as transparent as possible about what they need and why, which is due to factors outside their control.
Of course you're right in a technical sense. They could do whatever they want later.
But still let's celebrate and attitude like this rather than criticizing it.
This has been used as an attack vector in the past: spot reasonably popular plugin; make author an offer; inject whatever tracking/other malwate stuff new owners want (typically after a delay).
So now we'd have to trust the author to do thorough vetting of a potential buyer and also not sell if vetting is inconclusive. And this against an adversary aiming to cheat their way past vetting.
Might be a cynical take, but it is not one without reason.
As a sibling comment points out, this is due to the permission model. This doesn't let the author entirely of the hook though: the permissions model created the situation, the author chose a particular path. The consequences may not have been foreseen by either, but they do exist and affect users.
>the permissions model created the situation, the author chose a particular path.
perhaps the most reasonable or even only possible path if they wanted their plugin to be able to do what they wanted it to do, which was to keep sites and from messing with your copy and paste functionality - in other words to prevent minor maliciousness.
on edit: sure, to provide the smoothest behavior, but really if it wasn't smooth people would be irritated and not want to use it. I know if I was implementing for myself I would want it to be smooth.
I understand the whole "bad things can be done" perspective, but here for some reason I fall under a "trust but verify" perspective instead.
It's not cynical - see what happened to ublock. That kind of mess has happened, and will continue to happen, and should be a factor in what you choose to trust.
The extension in the Chrome Web Store (CWS) never changed hands. I just reverse-forked a GitHub repo, which was of no consequences to those who installed the extension from the CWS. I was asked to transfer the CWS entry, I refused. This can't be compared to an extension changing hands or going rogue in the CWS.
Wasn't the worst that happened with it that the guy who took over uBlock tried to take credit for it and asked for donations? Not like he could get away with anything outright illegal when everyone knew he was running the project.
The Wiki article has a brief summary of the history, but basically the original author wanted to transfer responsibility for the user-facing maintenance to someone else, who started seeking donations and (I believe) taking payment for "acceptable ads" and the like.
Nope. People are being asked to give a bunch of deep access to their system, it's not enough for the author to have pure intensions and explain why they asked. The user should understand the risks, many of which are non-obvious (like the extension being sold).
Let's put it this way: there have been FLOSS projects whose maintainers intentionally pushed compromised code to unsuspecting end users. See for example the colors attack.
What leads you to believe that good intentions are enough?
> Let's put it this way: there have been FLOSS projects whose maintainers intentionally pushed compromised code to unsuspecting end users. See for example the colors attack.
Following this logic, we should all stop using any and all software for which we haven't personally inspected the full source code for, since this could happen to any of them.
A more reasonable take would be to assess your risk tolerance and the possible benefit for each piece of software you install, and then make the best decision for yourself based on that assessment.
For some people, that means not running an extension that provides minor quality of life improvements due to the possibility of it turning malicious further down the road. For other people, it means the opposite.
Not sure why every security-related conversation devolves into one extreme vs. another extreme. Security must be appropriately balanced against risk tolerance, inconvenience, and a number of individual concerns and preferences.
If you personally think extensions are too much of a security risk for you, sure, don't use them. But please don't comment "ackshually extensions are insecure and using them is a bad idea" on every post about a browser extension. We already know the risks, it's explained when you install them, we don't need to hear the same lecture every day.
>But please don't comment "ackshually extensions are insecure and using them is a bad idea"
I haven't? My first comment on this entire topic is the one you are replying to... And it can be summed up as "risk tolerance and security decisions is personal".
This one is the version linked by the Firefox addon [0]. Honestly can't tell if one or the other is better but I like having it automatically enabled. Considering it hasn't been updated for years (but still works) I'm not particularly worried.
I get around that by downloading the extension source and then using Chrome extension developer mode to “load unpacked extension”. Then I’m confident the extension won’t change on me.
(But for this extension I don’t give it all site permissions anyway. I just enable on site by site basis)
This is exactly the point I was making. I personally don't care that this is how some people manage their chrome extensions. It's clever, and will help if the source suddenly changes. If there is a vulnerability in the version you've downloaded & keep installing, it'll never be fixed because no automatic updates. Plenty of examples of extension vulnerabilities in Chrome, but the stability of your plugins not auto updating is definitely appealing to avoid unexpected changes/behavior
That's exactly why I use my system package manager to install and update browser extensions.
And whenever the package repository is missing a browser extension I need, I contribute the package and take responsibility for its ongoing vetting and maintenance.
You should have read a few more lines of that source - it also sends an "active" message to the tab, which is what adds and removes the copy/cut/paste event handlers.
You mean the permissions system is broken and most extensions do suffer from the same issue?
Nah mate, we at Google, (bless them Mozilla crooks giving us control over their extensions), don't care about actual issues, we only update extensions to make money and limit user freedom.
that argument only matters if you're using it on Firefox
if you're using it under chrome you're already working under the profit making goal of a failing advertising company. how worse do you think it can get?
The problem is that even if I read the code, or more likely chose to trust that someone has, it's not guaranteed to remain true for future updates. The author's scruples may weaken with time, or they might sell the extension, etc. (I think Chrome's extensions auto-update, but even if they didn't I'd still have to remember that this extension is one that I can't assume it's safe to update.)