← Back to context

Comment by maxloh

5 hours ago

To install a JSON formatter, you need to grant the following access:

1. Access to the page DOM to read the raw JSON content.

2. Permission to modify the DOM to display the formatted results.

Unfortunately, these requirements necessitate broad host permissions, which allow an extension to inject ads or track user behaviors. There is no alternative way to define a strict security boundary that allows these specific permissions while preventing abuses.

2 comments

maxloh

Reply
tadfisher  5 hours ago

> There is no alternative way to define a strict security boundary that allows these specific permissions while preventing abuses.

Maybe you're right, and there isn't. Does it not follow that we should probably require extensive review and open-source reproducible builds before allowing any such extension on the browser extension stores?

what  4 hours ago

I’m pretty sure you can setup without broad host permissions, you just probably wouldn’t like it. You’d have to click a button to trigger the behavior, which I think requires you to click another button to approve access. Or configure the extension to allow access to specific domains after install, which will also have a permission prompt.