A fun idea, but I am so hesitant to install extensions that have access to any URL. I don't know who this developer is, so how can I know they won't accept $10k to sell their extension to some malware group that will try to exfil all of my banking credentials after updating this extension?
It's worse. Even if you DO know and trust the developer, in a year or two, they're probably going to get an email from a nice man who will want to buy their extension for $10,000, and they've long gotten bored of it, so why not?
loading story #42796679
loading story #42799564
loading story #42800273
An extension like this should be relatively small. Download the source code, read it to make sure nothing bad is happening, then install it from source so it doesn't get automatically updated.
This is a good point and I haven’t read the manifest as I’m in a bit of a rush. Chrome did do a lot of work improving the manifest for conditions like this in v3. I know with webRequest you have to specify urls but not sure if there is a separation of duties here in terms of
1. Permission to operate on any url page loaded locally and being able to modify the html/insert html like the clown image
2. Being able to webRequest http outbound to <any_url> where you could exfiltrate data.
I thought there was a way to insert html into any loaded page without having access to send outbound network requests.
If that is the case that it’s separate if the chrome extension were to be sold and the manifest were changed to allow nefarious behavior you would know.
This is quite the problem with the chrome extension ecosystem. It is rife with malware. How does someone build an extension that can promise better behaviour. There doesn’t seem to be a way to restrict oneself.
Even manifest changes aren’t “scary enough”.
Why would this extension ever need to be updated?
Easy solution. Don't install it.