Hacker News new | past | comments | ask | show | jobs | submit login

Isolation isn’t a benefit for extensions: the whole point of extensions, bookmarklets, etc. is to be able to modify arbitrary aspects of the browsing experience in arbitrary ways.



It's a balance, right? If browser extensions had kernel access, I think we'd all agree that's bad. Now, that's obviously an extreme, but where is the line?

Up until recently†, I'm not aware of a situation where a popular Firefox extension was unable to work in Chrome due to Google restrictions.

†I'm purposefully excluding the whole adblock thing, as that's super recent and thus not relevant here.


Playing devil's advocate, many firefox extensions don't work as well or at all as they used to. tree style tabs can't integrate in the same way without extra modification, all of the FF extensions that allowed you to control your browser with vim bindings no longer work.

I actually still think the API design was a good idea and am glad for the added security. Still, the API change took down some popular extensions for sure.


But it's not about the popular extensions.

Now there is no more middle click to submit on forms and I used that at my old job to speed up a bunch of tedious tasks.


That sounds trivial to implement in an extension at least. If there isn't one already I could probably take a crack at it.


> It's a balance, right? If browser extensions had kernel access, I think we'd all agree that's bad. Now, that's obviously an extreme, but where is the line?

It is, and it boils down to the usual security vs. utility tradeoff - beyond some point, more secure means less useful. Kernel access is a stretch, but then again, I could make my computing experience much more pleasant if I had a deeper ability to control and inspect the browser from external software running on my computer.


I don’t know about you, but I don’t trust all the extensions that I want to use.

Especially in Private/Incognito Mode I only want extensions for blocking ads/trackers + 1Password and that’s it.

Also being able to see what the extension does is really valuable to me, because allowing an extension to read the data on all websites you visit is really suspicious for a majority of extensions.

Mozilla has had a good review process in place and truth be told Chrome's Web Store has suffered from spyware and malicious extensions more than Firefox. But that's only because it is more popular and Google is known for really screwed / non-existent human support (e.g. extensions being reported as being malware with no immediate action).


> I don’t know about you, but I don’t trust all the extensions that I want to use.

That's fair, but this dynamic drags down usefulness of the whole platform. Browsers could offer extended permissions allowing extensions arbitrary control over the browsing experience, but they can't trust extension authors not to get greedy about privileges, and can't trust regular users to be smart about it. It's what happened with Android: applications requested every possible permission, users learned to just accept it.

> Also being able to see what the extension does is really valuable to me, because allowing an extension to read the data on all websites you visit is really suspicious for a majority of extensions.

That's true, and I wish there was an easy way to transparently run a I/O trace on an extension, and to have super-fine-grained user-level control over its permissions. I use a bunch of extensions that modify the contents of sites; I wish I could manually restrict them to a whitelist - and sometimes blacklist. Like, e.g. I don't need Cloud2Butt to work on my banking site.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: