
Improving extension transparency for users - el_duderino
https://blog.chromium.org/2018/06/improving-extension-transparency-for.html
======
ocdtrekkie
Wow. It's hard for me to express how big a deal this change is in protecting
the average consumer. I don't know if this blog post will see much attention
here on HN, but it's a _huge_ improvement. This has been an incredibly common
malware install vector, that I've been loudly complaining about to anyone who
will listen for a number of years. Countless people I've worked with over the
years have been hit by malicious sites forcing extension installs using
alert() prompts and other tricks to prevent you from leaving until you install
the extension.

It's long overdue for this practice to end, and I'm glad to see that in 2018,
it will finally be safe to have Chrome installed.

I feel "Chrome disables websites from installing extensions" would be a far
better headline, mind you, Google chose to be incredibly vague here.

~~~
seanwilson
I'm curious if there's a way they could have locked it down more so that
legitimate extensions could still use inline install. I have a Chrome
extension promoted via a website and I imagine this move will impact
conversion rates.

~~~
ocdtrekkie
I don't believe there is any legitimate justification for this atrociously bad
feature: If you were using it ethically, it still requires the same number of
clicks as if you just linked to the Chrome Web Store.

Consider that launching an extension install without permission is bad, so
someone is going to have to click a button on your website to install the
extension, and then when the Chrome extension install prompt appears, click
again. So two clicks.

Or you could have them click once to link to the Web Store, and a second click
to install the extension. Still two clicks. The only real abilities taken away
here are:

\- Your ability to launch the extension install prompt without user consent,
which is bad.

\- Your ability to hide the reviews and other details on the Web Store page,
which is bad.

~~~
seanwilson
> Or you could have them click once to link to the Web Store, and a second
> click to install the extension. Still two clicks.

Counting clicks isn't taking into account the user experience when inline
install is used properly. The intended use for inline install as far as I see
is you have a website with a "add to Chrome" button for your extension, you
click that, read the permissions and click "install". When you're redirected
to an entirely new page instead and the user has to hunt for the install
button, the user experience isn't quite as good.

> \- Your ability to launch the extension install prompt without user consent,
> which is bad.

This doesn't appear to be the intended use.

> \- Your ability to hide the reviews and other details on the Web Store page,
> which is bad.

Inline install shows the average rating and a link to get more details. The
store pages don't show the reviews unless you click on the "reviews" tab
either.

