Comment by xnx
> It's entirely possible to manually vet extension code and extension updates
I thought the core vulnerability of Manifest v2 is the new code can be loaded by an extension on the fly without any extension update. How would you vet that?
The same way it's done with V3, because no permission-level blacklist/whitelist is going to prevent the person from creating an interpreter within JS itself.
Looking at https://developer.chrome.com/docs/webstore/troubleshooting#a... it seems most of the heavily lifting is done with some combination of static/dynamic analysis during extension review. The same analysis (plus trivially catching eval) could be done with V2 as well.