undefined | Better HN

0 pointsamelius2y ago0 comments

The problem is the permission system. Like apps, extensions have an all-or-nothing attitude to permissions. Browsers should allow the user to be more specific about permissions, and let extensions think the user gave more permissions than they actually did. E.g. if extension insists that they need "access to entire filesystem", the browser should make the extension believe they have access to the entire filesystem, but of course the entire thing is sandboxed and the user can restrict the access behind the scenes.

Without this feature, extensions will keep insisting they need access, and the user will eventually fall for it.

0 comments

josteink2y ago

> Like apps, extensions have an all-or-nothing attitude to permissions

Browser extensions needs to declare their permissions. With Manifest V3 we’re seeing even more need to declare permissions.

Any extension cannot do anything not explicitly granted to it by the user upon installation.

actionablefiber2y ago

The issue is those extensions can withhold valuable functionality needlessly.

If I download $usefulWikipediaCompanionExtension whose functionality only depends on access to *.wikipedia.org but whose manifest demands permission on all sites, I'd like to be able to tell my browser "if I'm not really on Wikipedia, only show the extension a blank page."

hgsgm2y ago

That's a lot more work than saying "No" to using the malware.

1 more reply

iudqnolq2y ago

Yes but this extension needs to send the content of webpages you visit to APIs. You're gonna give it explicit permission to effectively do whatever the hell it wants.

j / k navigate · click thread line to collapse