Comment by GeekyBear

Comment by GeekyBear 2 days ago

2 replies

View on Hacker News

> Extensions are untrusted code that should have as little access as possible.

It's entirely possible to manually vet extension code and extension updates in the same way that Mozilla does as part of their Firefox recommended extensions program.

> Firefox is committed to helping protect you against third-party software that may inadvertently compromise your data – or worse – breach your privacy with malicious intent. Before an extension receives Recommended status, it undergoes rigorous technical review by staff security experts.

https://support.mozilla.org/en-US/kb/recommended-extensions-...

Other factors taken into consideration:

Does the extension function at an exemplary level?

Does the extension offer an exceptional user experience?

Is the extension relevant to a general, international audience?

Is the extension actively developed?

xnx a day ago

> It's entirely possible to manually vet extension code and extension updates

I thought the core vulnerability of Manifest v2 is the new code can be loaded by an extension on the fly without any extension update. How would you vet that?

Reply View 1 reply
  • krackers a day ago

    The same way it's done with V3, because no permission-level blacklist/whitelist is going to prevent the person from creating an interpreter within JS itself.

    Looking at https://developer.chrome.com/docs/webstore/troubleshooting#a... it seems most of the heavily lifting is done with some combination of static/dynamic analysis during extension review. The same analysis (plus trivially catching eval) could be done with V2 as well.

    Reply View 0 replies