As a hobbyist developer, having that kind of access in other people’s browsers is not something I want, and I’m suspicious of developers who do seem to want it. It’s like “hey, I wrote a fun game that requires root access.”
At least limit it to people who know what Github is.
So... Just like AAA game studios, eh?
Sony? Microsoft? EA? Apple? Exactly which giant megacorporation is beyond shady things?
https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootk...
I mean that's what kids, teenagers, and young adults and non technical people in general are known for: their prudence and good technical decision making.
lets not talk about the other risk vector that Tencent, a chinese company is the one buying most of these game studios that have Kernel access (not exclusively).
Because an extension that finds all button elements on all websites you visit, must necessarily start by reading the content of all websites you visit.
Is your stance that hobbyist developers should not be allowed to develop desktop software or CLI tools? The entire software development ecosystem would collapse in an instant. Or are you just not familiar with Windows & Macs (lack of a) permission system?
1. Most antivirus solutions built into operating systems such as Microsoft defender are unlikely to find suspicious extensions that are exfiltrating your data
2. Extensions autoupdate (and don't require you to re-authenticate their permission set)
3. It is not uncommon for large spyware companies to buy up a bunch of the most popular chrome extensions, and proceed to inject them with malware.
4. Since an extension runs inside your browser, it's much easier to forget that they're essentially always running, whereas once I exit a desktop app it's presumably gone. There's a dangerous level of passivity to browser extensions for an average user who might forget they even have them installed on the browser.
Maybe number 2 has changed in the last 10 years, but it certainly didn't used to be the case.
They can flag antivirus signatures just like everything else, and I've experienced this happening in the past. In the end, extensions are just some javascript/css files in a folder and they get scanned just like everything else.
> Extensions autoupdate
So can any piece of software if it wants to. It's trivial to make an updater start on boot.
> It is not uncommon for large spyware companies to buy up a bunch of the most popular chrome extensions, and proceed to inject them with malware
The same can, and has, happened for "regular" software.
> Since an extension runs inside your browser, it's much easier to forget that they're essentially always running, whereas once I exit a desktop app it's presumably gone
Desktop apps can trivially just not show a window if they want to. They can trivially add themselves to autostart. It depends entirely on what they're doing, just like an extension.
No, instead you're just reading all files on the filesystem, including the browser's cookie store or whatever. The data you are, or can be, handling is just as, if not more, sensitive since it's literally a superset of what the browser has access to.
> The lack of sandboxing in desktop applications is bad
Some sandboxing would be nice, but the Google/Apple approach of needing to beg the vendor for every little permission isn't the way to go, either. I'd rather have software that can actually do things as opposed to only having useless sandboxed "apps".
