Comment by tadfisher
7 hours ago
WebExtension permissions are fucking broken if the set of permissions necessary to reformat and style JSON snippets is sufficient to inject network-capable Javascript code into any page.
If basically any worthwhile extension can be silently updated to inject <script> tags anywhere, then it's time to call this a failed experiment and move on. Bake UBlock and password-management APIs into the browser. Stop the madness.
Been researching extensions for a while now at the day job and I'm preparing some disclosures to the major browser vendors.
The amount of absolute clusterfuckery in browser extensions is endless. One of the biggest issues is with how extensions define their permissions and capabilities in their manfiest.json files. I've reviewed thousands of these now, and probably only 5-10% of extensions actually get it right. There are just so many confusing and overlapping permissions, capabilities, etc.
It is a failed experiment, but I don't think Google can just shut it off, because of their market dominance. They'd be disconnecting some of their competitors from their users. They need to move to an updated manifest spec that is (more) secure by default, has fewer footguns, etc.
> They need to move to an updated manifest spec that is (more) secure by default, has fewer footguns, etc.
They tried to do this and people got very upset at them trying to kill adblockers.
For context, the latest version of extension spec (Manifest V3) is just 1.5 years old. It isn't something old or legacy.
- click install
- "It can: Read and change all your data on all websites"
It's not alarming sounding enough for what that implies, but "it can trigger requests under its control" seems fairly obvious from that. The permission it uses to inject ads can be used to inject ads (or block them).
Why a JSON formatter needs any permission at all is something anyone installing it should be asking themselves.
---
This is not meant to imply that I think the permission model of extensions in chrome or firefox is good, clearly it is not. But it's significantly better and more fine-grained than every single other widely-used permissions system in consumer apps. Ideally there should be more carve-outs for safe niches like a "read a JSON file, rewrite it into something that does not need javascript or external resources" could use, but also that kind of thing is likely to be nigh impossible to make "complete".
"Read and change data on all websites" does not, to me, imply "make network requests on the user's behalf". Yes, I can put on my developer hat and surmise that, under the hood, the extension's injected payload can make network requests by adding <script> elements to the DOM. No user will ever understand this, no matter how much you try to educate them through the permission prompt.
This ends up being significantly worse than any other widely-used permissions system, because injected scripts act as the website, not the extension. If you've already granted location permission to a website, then it is effectively granted to the extension. There is no other ecosystem that works like this.
And to do basically anything worthwhile, including certain types of content blocking, you need this God permission that essentially disables the WebExtension permissions system. This should never have been greenlit in the first place.
>"Read and change data on all websites" does not, to me, imply "make network requests on the user's behalf"
Yeah, I don't like this phrasing either, I think it downplays the risk to a dangerous degree (which is "it can see and do literally anything on any site you visit", which is GIGANTIC). It's one of the worst permissions to request, but it doesn't look like it.
But other permissions systems don't have per-site controls, or the ability to turn things off until activated, or isolate everything, or... the list is huge, others generally have permissions like "can access this folder [and others we haven't told you] [and folders you give it access to, which you can't revoke later https://news.ycombinator.com/item?id=47719602] [and only for applications which opt into this, normal ones can do anything anywhere any time]...." which is much worse.
To install a JSON formatter, you need to grant the following access:
1. Access to the page DOM to read the raw JSON content.
2. Permission to modify the DOM to display the formatted results.
Unfortunately, these requirements necessitate broad host permissions, which allow an extension to inject ads or track user behaviors. There is no alternative way to define a strict security boundary that allows these specific permissions while preventing abuses.
> There is no alternative way to define a strict security boundary that allows these specific permissions while preventing abuses.
Maybe you're right, and there isn't. Does it not follow that we should probably require extensive review and open-source reproducible builds before allowing any such extension on the browser extension stores?
I’m pretty sure you can setup without broad host permissions, you just probably wouldn’t like it. You’d have to click a button to trigger the behavior, which I think requires you to click another button to approve access. Or configure the extension to allow access to specific domains after install, which will also have a permission prompt.
Given that the worlds biggest browser is made by the worlds biggest ad company, the chances it’ll ever bake in a working ad blocker are approximately zero.
Chromium does include an ad blocker for "intrusive ads". ie. Those using many resources, flashing, auto-playing sounds, or otherwise behaving badly.
https://support.google.com/chrome/answer/7632919