I'm a former add-ons product manager for Firefox. I never would have considered something this drastic (after all, Firefox is about choice, so it wouldn't have even been an option), however fake/malicious/rogue add-ons are a massive problem. If Chrome has a kill switch on every single add-on (and not just the ones uploaded to their site), they can do a better job of stopping malicious add-ons.
Add-ons can do a ton of damage, and you'd be amazed how many people click through the install warnings without thinking.
Yeah, this isn't a great solution, but it's been surprising the number of Mozilla folks that have come out and said, "this may be the only real solution". They've all said they won't be doing the same thing, but there has sometimes been a strong suggestion of a "yet..." there.
I don't think:
a) most people realize that extension permissions are not exactly analogous to phone permissions. When you give browser extensions even fairly standard permissions, they can arbitrarily interact with and alter every single thing you see and do in your browser (meanwhile phones are still somewhat protected by their isolated app architectures). There are some mitigation strategies, but the reality is that the only real difference between many userscripts and a keylogger, for instance, is intent on the part of the developer. And how do you detect that?
b) I don't think many people reacting to this change (like in this thread) realize how many people are actively installing malware in the form of extensions and are being screwed by them. These aren't hypothetical problems, it is quite widespread (check out the many Mozilla conversations about this). This is the reason Mozilla has been so sympathetic to (and muted about) Google's change here, I think.
A dropdown bar and a "are you sure?" are not sufficient. I wish Google would do more (and the "I intend to polish this UI a bit" comment in that bug thread should tell them exactly where they should be focusing their efforts first, not just ignoring it for now), but browser extensions are way too dangerous right now. Downloading the folder and dragging it in kind of sucks, but it's really not that bad in almost all cases (I'm sympathetic to the drop in installations you'll face if you don't want to kowtow to the chrome webstore/mozilla addon approval process, though).
I can't edit my post now, but I was wrong, sorry. I was basing this off the last time I tried it, which either I have a bad memory of or was before it was added in its current form.
I actually quite like the warning bar and the link for more info, which makes what is happening obvious. The expando on the help page for how to install is kind of tucked away visually, though.
There are some unfortunate side effects of this move, like the only available installable extension source being the same vendor as the main producer of the browser, but another source that vets chrome extensions independently of their developers is only hypothetical at this point. Maybe someday if Mozilla and Google agree on a standard app format....
As I said above, though, this appears to be the only actually viable solution at this point. Glad to be wrong on the UI-front.
Hell, I'm a techie and even I've caught myself only a few moments before accidentally installing a random extension that for all I know would steal everything including the pots and pans. I can understand why Chrome team is doing this because if I've been close, I shudder to think of what non-tech people have done.
I'm aware of the security problems that making Google the Chrome browser extension/userscript gatekeeper could solve, but this change is still an inconvenience to users with common sense about computer security (do I download AdBlock Plus from adblockplus.org, chrome.google.com, or free-browser-extensions.biz?) and want software that won't be available on the web store (anything that doesn't gel with the TOS/Google doesn't like, developers who aren't willing to pay $5 for a webstore developer account [before anyone asks, that includes people who wish to remain anonymous and minors who lack easy access to online payment services], beta versions of extensions, etc) from developers they trust. A hidden opt-in setting in chrome://flags that the kind of people who download obviously malicious extensions are never going to learn about would have been a much more convenient first step than inconveniencing installation for and completely removing auto-update functionality from unregistered extensions. As a first step, it might have mostly fixed the problem or not, but now we'll never know.
I don't think we have to worry about Google ever removing the ability to manually install unregistered extensions from Chrome, as extension developers need that functionality to actually, you know, develop their extensions, and charging money for a "developer account" for an open source web browser would be ridiculous, but the industry-wide trend towards walled gardens is very troubling.
>> Add-ons can do a ton of damage, and you'd be amazed how many people click through the install warnings without thinking
That reminds me of the bit in 'Windows Vista Airlines' from 'If Operating Systems Ran The Airlines...'[1]:
"After answering yes to so many questions, you are punched in the face by some stranger who when he asked "Are you sure you want me to punch you in the face? Cancel or Allow?" you instinctively say "Allow"."
>We suggest Chrome team to follow Opera’s approach, or at least whitelist UserScripts.org globally.
I could be wrong, but I don't think userscripts does any significant culling of their catalog; downloading an arbitrary script from there is just as dangerous as anywhere else. This whole thing is just silly, you have to confirm the installation of a javascript extension. If you accept that it's your responsibility if it turns out to be a keylogger or what have you, not the Chrome team's. They're shooting everyone in the foot because someone might accidentally shoot their eye out.
It's more like adding a safety that actually works (unlike clickthrough warnings). If you know what you're doing, you can do a search and learn how to drag and drop. Anyone who needs handholding for this shouldn't be doing it.
> This. http://i.imm.io/E9zF.png Seems like a lot of privileges for an userscript managing extension.
Well, no shit. How is TamperMonkey supposed to install extensions that require more privileges than itself? It needs full permissions because it allows scripts you install full access.
From the Chromium devs: "we're putting the power back in the user's hands by allowing them to control where extensions are installed from. By default, the Chrome Webstore is the only source, but users and administrators will be able to add other safe sources as they see fit."
I don't know if the ability to add other sources has been implemented yet though.
>Enterprise Administrators: You can specify URLs that are allowed to install extensions, apps, and themes directly through the ExtensionInstallSources policy[1].
Google also killed user scripts that are self-updating like 4chan x. Before you would just click OK on a popup informing you that there was a new version and you were done.
Now you have to drag the downloaded file into a tab with chrome://extensions open.
I don't know why Google hasn't left a switch in to deactivate this "security measure".
Edit: security measure is between quotes because I don't think anybody on HN would fall for something like that easily.
>This really is a security feature and will undoubtedly help vast numbers of people.
This is the worst kind of "feature" (and a colossal personal annoyance), the kind that breaks functionality and/or convenience because some people don't know how to handle their browser. I know how to handle my browser. Why are you making my life harder?
How about a switch for big kids who don't need their hands held?
Note: If your answer begins with the word "fork", you lose.
> because some people don't know how to handle their browser
Actually their argument is that most people cannot handle their browser.
> How about a switch for big kids who don't need their hands held?
I think the GP already gave an answer to that. He agrees that there can be a switch. And to submit a patch, you don't have to fork :)
"I’m very disappointed to find that users can’t install userscripts directly from the UserScripts.org – first they need to save the JS file locally and then drag the file onto the Extensions page (chrome://chrome/extensions/)."
Yes, hopefully they haven't pulled a full Apple, like Microsoft has with their 'Metro' store. I don't think I can ever forgive them for making that sort of lock-down acceptable.
i was also very, very pissed at this ... until i discovered tampermonkey https://chrome.google.com/webstore/detail/dhdgffkkebhmkfjoje... they do userscripts right, and as userscripts are a "high end geek/nerd application" anyway (i would guess only <0.1%[0] of all online users use userscripts) i think it's justifiable to install this extension first (if there is a security win for the rest of the 99.9%)
[0] if we guess that there are 2 279 709 629 wordwide internet users, then this means there are still 2 279 709 userscript users.
I'm kind of annoyed how it nuked the userscripts I had already installed without any kind of warning. Would have been nice to have the choice before they were all removed.
Ironically, it sounds exactly like what Apple is doing with iOS/iPhone. "All our apps should come from the app store because we review them and blah" Considering Android's position of "you can install APKs, but at your risk," I find this bizarre. Is Google slowly becoming Apple?
Setting aside all of the political/philosophical objections to this decisions. from a practical perspective, I would be completely fine with this decision if they changed one thing:
Make it dead simple for me to go to the 'developer dashboard' in crome web store and let me create a new extension by just uploading a whatever.user.js file. Don't make me package it up, don't make me know what a crx file is. Let me just hack together so JS to scratch my itch, and throw it up somewhere.
Is this not in effect on Chrome Canary? I use two two Hacker News related userscripts, and both are still working. Neither of them ever stopped working.
Well I learned something awesome from this article:
"...userscripts are natively supported in Google Chrome without requiring third-party add-ons... first they need to save the JS file locally and then drag the file onto the Extensions page (chrome://chrome/extensions/).
From the bug report it looks like they will allow users to choose safe software sources. Presumably this means you could add userscripts to this list and regain the old functionality. It's just not done yet.
This change was made to protect users. Off-store extensions have
become a popular attack vector for compromising users of larger
sites (e.g. Facebook). Since the trend is only getting worse,
we're putting the power back in the user's hands by allowing them
to control where extensions are installed from. By default, the
Chrome Webstore is the only source, but users and administrators
will be able to add other safe sources as they see fit.
what about people like me who can't or wont pay the 5$ webstore fee?
I suppose the only option left for me (and people like me) is to do what mrng suggested and instruct users to download the unpacked version and install it manually via dev. mode.
edit: it seems like there there is another way on http://support.google.com/chrome_webstore/bin/answer.py?hl=e... (click on "Steps on adding extensions from other websites"). it makes things better, but it still complicates things for the user. way to go, google.
So will they do this with the regular downloads too? Because you still can download malwares with Chrome isn't? And extension developers who aren't accepted in the Google "walled garden" can create a regular downloadable software which forces their extensions into Chrome.
I wish there was a way for page authors to disable user scripts.
Yes, I realize that users can easily open up a console. I'm not afraid of the users, I'm afraid of roque JavaScript being injected into a page that's reading sensitive data and using it for nefarious purposes.
That would suck! The whole point of user scripts is giving power users convenient control over ANY page in their browser - regardless of what the website owner thinks.
It is impossible for a site to defend a client against threats. That is the browser's job. Just imagine a malicious extension that could override the site's preferences.
I'm a bit disappointed that Google's alternative (the Chrome web store) requires a fee, even if it's only $5.
It seems kind of silly for Google to ask for a fee to distribute a free extension, especially since there is no way for a developer to distribute it themselves.
As someone who writes the occasional userscript in a github gist, I find this to be really annoying. I understand the security perspective, but I think it should be a bit easier to install your own scripts when you know what you're doing.
What's the big deal here? Anybody who wants to install other extensions can still do so.
How often do you install extensions from other sources anyway?
I think this is a good solution to the problem.
Kind of a bummer. I still use a few GreaseMonkey scripts in Firefox and one of the main reasons I still use some pages in FF. OinkPlus is still a great tool for finding new music and artists.
Try for an actual solution whereby most scripts have a few fine-grained capabilities or can only modify specific sites? Better UIs so that people are informed of what an addon is capable of? nah...
How good is the UI that points out the contraction of "Facebook style changer" wanting to modify all sites? And does this dialog include a warning for extensions that are able to record all activities and phone them home to third party servers, a combination of capabilities that most extensions should not need? There's certainly underlying work that needs to be done to make the latter a reality, but at least trying to solve the problem is better than giving up and falling back to centralized computing.
It's true that users have been desensitized to important decisions through an onslaught of mswin uninformed-consent OK/Cancel dialogs, but at some point they have to be responsible for sensible security decisions (even if that just means downloading Chromium from google.com and not google.com.ojwqodkja.ru). The only way to completely protect a user from themselves is to revert their computer into an unmodifiable display terminal, an idea that should be appalling to anybody who values the concept of a personal computer.
I'm a former add-ons product manager for Firefox. I never would have considered something this drastic (after all, Firefox is about choice, so it wouldn't have even been an option), however fake/malicious/rogue add-ons are a massive problem. If Chrome has a kill switch on every single add-on (and not just the ones uploaded to their site), they can do a better job of stopping malicious add-ons.
Add-ons can do a ton of damage, and you'd be amazed how many people click through the install warnings without thinking.