Hacker News new | past | comments | ask | show | jobs | submit login

That's remotely hosted code...also a problem, but you can inject code that's not remotely hosted.



The point is that it’s a different permission.

https://news.ycombinator.com/item?id=41812416

If you are really privacy conscientious, ad blocking extensions should be able to exist without any access to web requests now.


I feel like we're losing the plot here. Removing the cancel capability of onBeforeRequest didn't improve security much. It did, though, hobble ad blockers to just dealing with static lists if they want to prevent an ad from downloading in the first place.

Removing the onBeforeRequest redirect didn't add much security either, since you can just ask for permission B instead of permission A and just inject code. Though, ad blockers don't need that anyway.


It’s insane to think that an extension with the ability to snoop on all your requests is more privacy oriented than one that can’t.

It’s insane to want extensions to snoop on all your requests in an attempt at more privacy.


It only sounds insane because you're saying "want extensions to snoop" to describe "want extensions to run a function call locally".

It is a permission that could be used by a malicious extension to snoop, but that is far from the only use. Wanting the permission != wanting snooping.


Well, I would allow it for one specific extension that I feel does more good than harm for the capability. Call me insane.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: