undefined | Better HN

0 pointswheelerwj8y ago0 comments

most people who understand sandboxing would sooner assume that its bad copy text rather than believe google would allow literally anything anywhere.

0 comments

AgentME8y ago

Extensions (with permission to a domain) can inject elements and javascript into webpages, and javascript running in a page can use the DOM APIs (the same APIs that a webpage's own code uses) to see what's on the page, including form content.

Chrome extension sandboxing is mostly about controlling what webpages an extension can manipulate, not so much about how it can manipulate it. It's not obvious that there is a better sandboxing solution for the general case. (There are possibilities for specific uses though: Safari has APIs for extensions to use set up regexes to block images/ads without needing permission to run arbitrary code on sites.)

wheelerwjOP8y ago

i can't speak for everyone, but if i could get a permission that was bookmarks/url only i would be pretty happy.

hedning8y ago

There's bookmarks and history permissions available: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/ma...

j / k navigate · click thread line to collapse