Post author here! I wrote this post five years ago. Since then, my conviction in the value of customizable software has only grown, but I've also updated my thinking in a few ways:<p>1) AI<p>AI is rapidly getting better at coding. Current AI is often bad at high-level architecture but is capable of making small local tweaks. Seems like a good fit for the kind of code you need to write a browser extension!<p>I'm exploring this direction; wrote more about it in "Malleable software in the age of LLMs" [1]<p>2) Security<p>Having talked to people who worked on various extension platforms including the browser extensions API, I see more clearly than I did five years ago that security is often the key bottleneck to deploying extension platforms meant for mass adoption. Anytime you want everyday computer users to be installing invasive extensions to important software from untrusted third parties, it's gonna be challenging to protect them.<p>That said, I still think that conversations around extensions tend to focus too much on security at the expense of all else. Customizability is important enough that it may be worth prioritizing it over security in some cases.<p>I also think there are many reasonable paths forward here. One is to exchange extensions with trusted parties -- e.g, coworkers or friends -- rather than installing from random people on the internet. Another might be to only build your own extensions; perhaps that'll become more viable with AI-assisted programming, although that introduces its own new security issues. And finally, I've met a few people who have smart ideas for architecting software in a way that helps resolve the core tensions; see [2] for an example.<p>3) Backend access as a key limitation<p>I've increasingly realized that the fact that browser extensions can only access client code in a fairly server-centric web means that many deep customizations are out of reach. Perhaps you can't read the data you want, or there's not a write API to do the thing you need.<p>While I'm optimistic about what extensions can do within the boundary of the client, this is an inherent limitation of the platform.<p>At Ink & Switch (the research lab I now work for), we're working towards local-first [3] software: collaborative software where the data and the code lives on your device. Among other benefits like privacy, we think this is the right foundation for more powerful extensions, since your data and the app code aren't locked away on a server.<p>[1] <a href="https://www.geoffreylitt.com/2023/03/25/llm-end-user-programming" rel="nofollow">https://www.geoffreylitt.com/2023/03/25/llm-end-user-program...</a><p>[2] <a href="https://www.wildbuilt.world/p/inverting-three-key-relationships" rel="nofollow">https://www.wildbuilt.world/p/inverting-three-key-relationsh...</a><p>[3] <a href="https://www.inkandswitch.com/local-first/" rel="nofollow">https://www.inkandswitch.com/local-first/</a>
Just the framing of "browser extensions" is extremely problematic in the year 2024.<p>Most browser extensions by weight are Google Chrome extensions. Google Chrome is unambiguously demonstrating that no API is safe in its quest to juice revenues. Anybody who builds extensions using Chrome's APIs should be very aware that they're quite possibly putting effort into something a juggernaut will stomp away without a second thought.<p>I don't care to live in strategically lost situations like this, so I think the conversation should be about <i>Firefox</i> extensions. Which also don't have a great track record (the transition to Google Chrome compatibility a few short years ago still annoys me greatly), but are a qualitatively better counter-party to deal with.
Many popular browser extensions were bought up by data brokers that use them to exfiltrate browser history, so not sure if they’re underrated, I think you have to be pretty careful as the extension security/privacy model is/was pretty awful. I e.g. know screenshotting extensions (Awesome Screenshot) that would vacuum up your browser history and send it to a data broker in Israel. So probably better to have that as a native browser feature.
I wish browser extensions had more fine-grained permissions but it's a tricky problem verifying if software is using permissions maliciously (see the Obfuscated C Code Contest and the Underhand C Contest) and how to communicate nuanced permissions to users (most users don't read and/or understand tech stuff, and can be easily mislead).<p>A tip in Chrome that I never see mentioned if you want to be extra safe when trying extensions:<p>- Go to Profiles > Add profile > Continue without account<p>- Install any extensions you feel like in this profile and they're completely isolated from the tabs logins, history, cookies and so on in your regular profile. Similarly, you can run Chrome Beta or Chrome Canary for installing extensions into, alongside regular Chrome.<p>E.g. you can install 10s of potentially risky web development extensions into this profile (they usually need a lot of access to do what they need to do), and keep them sandboxed away from the profile where you do your personal banking or login to work websites.<p>It's not practical for every extension, but I do this for my web development stuff and only use a couple of extensions for personal stuff.<p>I sell a browser extension where the permission I really want to ask for is "can only observe the network traffic it sends/receives in its own tabs" but I'm lumped with having to ask for the "read and write all your data" permission, but I make sure to share the above tip in the description (shameless plug: <a href="https://chromewebstore.google.com/detail/checkbot-seo-web-speed-se/dagohlmlhagincbfilmkadjgmdnkjinl" rel="nofollow">https://chromewebstore.google.com/detail/checkbot-seo-web-sp...</a>).
> Browser extensions remind us what it’s like to have deep control over how we use our computers.<p>Uh. Linux users would like a word here.<p>But more generally, there's a significant component of this that seems isomorphous to the question I was trying to discuss in a post I wrote several years ago called "Is Open Source a diversion from what users really want?"<p>There seems to be much more excitement about ways to "hack" software that do not involve build systems than the complete, open-ended and (theoretically) unbounded access provided by FLOSS. It's not hard to see some obvious reasons why that would be true, but still a little disappointing.<p>I tried to discuss that here, specifically in the contrast between Reaper's provision of scripting-but-closed-source versus Ardour's scripting-but-open-source.<p><a href="https://discourse.ardour.org/t/is-open-source-a-diversion-from-what-users-really-want/102665" rel="nofollow">https://discourse.ardour.org/t/is-open-source-a-diversion-fr...</a>
I built a chrome extension that is featured on the chrome web store[1] and the number of requests I get from shady data brokers looking to buy my extension and fill it with spyware is really concerning. A naive dev could build something cool and sell it off to someone thinking they'll maintain if for them but instead just cause a hazard for users. Google seems to do a decent job of reviewing the use of permissions but some extensions like mine really need access to everything on the page so I can only imagine what a data broker could do with it. Be careful what you install.<p>[1] <a href="https://chromewebstore.google.com/detail/css-selector-helper/gddgceinofapfodcekopkjjelkbjodin" rel="nofollow">https://chromewebstore.google.com/detail/css-selector-helper...</a>
I think what we need the most is a "view source" for browser extensions installed from the store: make it easy to view the source and to extract the browser extension into a folder.<p>Make it easy to find out which web pages they access and which they modified.<p>Minimized/encrypted code in extensions should be forbidden. It should be very easy to read the code.<p>E.g. this extensions says "records user activity", but what is that really: <a href="https://chromewebstore.google.com/detail/coffeelings/hcbddpppkcnfjifbcfnhmelpemdoepkk" rel="nofollow">https://chromewebstore.google.com/detail/coffeelings/hcbddpp...</a>
> Today, it requires a big jump to go from using browser extensions to creating them: you need to learn a fair amount of web development to get started, and you can’t easily develop extensions in the browser itself. What if there were a quick way to get started developing and sharing extensions in the browser? You could imagine smoothly transitioning from editing a website in the developer tools to publishing a small extension.<p>They're not full extensions, but userscripts and user styles go a long way, and extensions exist that allow people to create/use them in the browser (eg. Tampermonkey[0] and Stylus[1].) I consider them incredibly important, even though they can't do as much as extensions.<p>[0] <a href="https://www.tampermonkey.net/" rel="nofollow">https://www.tampermonkey.net/</a>
[1] <a href="https://chrome.google.com/webstore/detail/stylus/clngdbkpkpeebahjckkjfobafhncgmne" rel="nofollow">https://chrome.google.com/webstore/detail/stylus/clngdbkpkpe...</a>
I program (not js/ts), use a massive number extensions and consider myself an absolute power user of them and refuse to ever use a browser WITHOUT the chrome/firefox extension ecosystem, I've written themes for Chrome and VScode, but I'm still here- (like pink/cyan? get on in! <a href="https://marketplace.visualstudio.com/items?itemName=mikejk8s.pink-cyan" rel="nofollow">https://marketplace.visualstudio.com/items?itemName=mikejk8s...</a>).<p>I have <i>no</i> idea via the Chrome prompts what extensions are able to do, read, see, access, etc. "Allowed to access data on all websites" - Is this literally all data? Like what I'm typing? Like does it know when I go URL to URL? it is just reading the assets? Is there a chrome API that limits their access that I can see? What do I actually need to worry about? I have a video zoomer that lets me zoom in on any video on any website, do I need to literally audit each extension myself and make sure it's not mirroring my data elsewhere or something?<p>I have no idea. How would a non technical user know any of this?
I prefer bookmarklets because they<p>- Are easy to edit<p>- Are inactive until clicked<p>- Work in all browsers<p>- Work on mobile<p>- Integrate nicely into the UI. I can move them around, put them into any bookmark folder, assign shortcuts.<p>I wrote this bookmarlet editor which makes it easy to convert between clean code and a bookmarklet:<p><a href="https://www.gibney.org/bookmarklet_editor" rel="nofollow">https://www.gibney.org/bookmarklet_editor</a>
They're much too big of a target now for spy- or malware. They have too much access to everything we do in a browser. And you can't just evaluate them once, they auto-update silently and you never know when they might be bought by a malicious actor.<p>I use a very limited set of extensions I trust like uBlock origin and Bitwarden. Also some developer extensions, but usually not on my main browser. Everything else is just not worth the risk for me.
Is there a way to use browser extensions safely?
Any extension that looks interesting needs access to everything I see on the screen (and even modify it), which to me seems a huge security risk. My understanding is that random extension is able to read and send somewhere almost all my data when I read my email, do online banking, etc.
Do I understand correctly the situation?
I love the idea of browser extensions but they don’t appear to be worth the security/privacy risk for my use cases. I wonder how many others are like me and too paranoid to risk extensions at all?
What has always blown my mind is the lack of documentation/open source projects. With such powerful data we come across while browsing the web, it would only make sense to me there would be more tools to use an extend in this space. Browsing history is especially under valued. Even though the data technically exists, it is quite difficult to retrieve pages that have been visited, imo because of poor UX. Most people keep every Internet journey opened in hopes they will remember to return to it. I have been taking a stab at improving the UX with a history browser extension [1] which I have found myself legitimately finding value in using (a first for my personal projects lol).<p>[1] <a href="https://github.com/lunabrain-ai/lunabrain/tree/main/js/extension">https://github.com/lunabrain-ai/lunabrain/tree/main/js/exten...</a>
More like overrated. An extension can't be better, can't offer more than what the host application allows. All these developers hang on by a thread. Compared to OS APIs, in-app APIs are more unstable. Goals, profit incentives affect a single application much harsher than how a wider ecosystem would react. It's good that they exist, but at most they are viewed as a necessary annoyance by their hosts. Chrome I won't even need to mention, but winds could turn anytime on something like VSCode as well.<p>Sure, Webkit and VSCode are both open source and forkable along with their extension support, but any later development would rot compatibility until, and if, a popular fork emerges.
There was a good article from John Loeber a few months back about browser extensions: <a href="https://loeber.substack.com/p/9-15-years-of-market-gaps-for-browsers" rel="nofollow">https://loeber.substack.com/p/9-15-years-of-market-gaps-for-...</a><p>He had the same point, where it feels like browser extensions are a big, somehow under-appreciated market. Browsers are huge platforms -- creating add-ons and making them more capable should be a popular, value-generating thing to do! But for a number of (developer) UX/UI issues, that just hasn't been the case. I hope this changes!
The web has become unusable without extensions like uBlock Origin, but extensions can contain malware.<p>I have moved over to only using extensions that have gone through Mozilla's manual code review necessary to become part of their "recommended extensions" program.<p>> Before an extension receives Recommended status, it undergoes rigorous technical review by staff security experts<p><a href="https://support.mozilla.org/en-US/kb/recommended-extensions-program" rel="nofollow">https://support.mozilla.org/en-US/kb/recommended-extensions-...</a>
It's possible that some here might confuse Web Extensions with Safari App Extensions. Safari App Extensions are not the same as Web Extensions. App extensions are written in native code (Objective C or Swift); they operate within Apple's sandbox; their data is saved within Apple's secure file system; and if they are sold via the Apple App Store, they are reviewed and approved by Apple. One never has absolute assurance that an app is proof against attack, but until I learn otherwise, I think Safari App Extensions are safe.
One benefit I would add is that cross platform support is great for browser extensions. Browsers already run on different OS's and devices. Browser API and extension API are fairly uniform among the major browsers. It's close to the cross platform support of general websites.<p>As an experiment I develop my latest browser extension on Firefox [1], Chrome, and Edge [2] at the same time to see how difficult it is to share the same code base. The difference is minuscule, like less than 0.01%. Chrome and Edge are essentially the same. Firefox is a bit behind in Manifest V3 support and needs a few lines Firefox specific API calls. The manifest files have a few differences. Overall, sharing the same code base is very feasible.<p>[1] <a href="https://addons.mozilla.org/en-US/firefox/addon/one-page-favorites/" rel="nofollow">https://addons.mozilla.org/en-US/firefox/addon/one-page-favo...</a><p>[2] <a href="https://microsoftedge.microsoft.com/addons/detail/one-page-favorites/gnhomonbmcfhbfgbloacgnpgjcefbanm" rel="nofollow">https://microsoftedge.microsoft.com/addons/detail/one-page-f...</a><p>Edit: You might ask where the Chrome version. Well, I had a heck of time to create a new Google account for deployment. Stay tune.
I quite like bookmarklets, easy to write. Tried a userscript but couldn't get into it. Never tried an extension, wouldn't know where to start.
I've had some ideas for browser extensions over the years, most recently a few months ago. I remember looking at Mozilla docs for making a Firefox browser extension and, as a SWE w/10 YoE (mostly fullstack web), I was left confused. The documentation felt incomplete and I left the article with more questions than I had before.
I run a browser automation extension that only does actions on certain sites (clipping coupons for grocery store sites and credit card offers rewards). I created it this way specifically because I am terrified of extensions that want to read and write all sites. And you should be too.<p>I wish the chrome store gave badges to extensions like mine to make people more aware, give a filter when searching for new extensions, and to encourage least permissive development.<p>The chrome store extension rules are also unevenly enforced. Take a look at the source code for something like 1password. It is full of obfuscation and completely unintelligible which is against the store rules. I base64 encoded a single string that was my json dict in an otherwise completely readable js file and it went through on one publish but a few versions later was red flagged.
I love working with hackable software. I kind of attack it at the source level vs writing for the browser however. For example, say there’s some tool on a git repo. I will shamelessly clone it and build off of it to my own liking. Maybe I add another 1% to the code base, or maybe that repo becomes 1% of a codebase I write on my own. These are tools I could never share however, because of the rampant plagiarism I am doing, and the fact I don’t much care about getting it to run on different systems beyond my own. That being said fast and loose coding like this is a very powerful way to iterate on personal projects that never need to be anything but. I wish more things were actually hackable especially mobile or appliance hardware. Companies never like giving the power users the reigns for some reason.
Browser extensions, if we use the analogy as apps running within browser as an OS, are lacking simple capacities to manage the risks. Just like any app a user can install on their devices, extensions extend the attack surface. As we cannot avoid the risk by removing all of them, we can just allow users to have more control on them regardless of the browser they use. I suggested[0] using standard management APIs provided by browsers, therefore the ecosystem can use them as building blocks for FOSS and/or commercial tools. That's a very naïve idea but why not?<p>0. <a href="https://zaferbalkan.com/2023/10/03/browser-extension-api.html" rel="nofollow">https://zaferbalkan.com/2023/10/03/browser-extension-api.htm...</a>
Talking about how bad Google is limiting ad blocker, then going ahead and saying "I use Chrome extensions" I am assuming that means in Chrome. Its your fault then. Move to Brave (has ad Blocker without limitations build in, you can use all Chrome extensions) or Firefox or whatever browser but if you continue to use Googles shit then you are helping them kill what makes extensions great. They do not even support extensions on mobiles, obviously with the excuse of performance but its so most people who are actually on mobile can't block ads and otherwise remove commercial toxicity from the web.
Browsers REALLY have to fix the "read all your data" problem. Even with domain limitations, if you use an extension for a site, that means you use that site a lot, so you probably even have an account on it.<p>I think extensions should declare a bunch of CSS selectors that they need data access to, and if an element doesn't match those selectors, then all attributes and .innerText/.innerHTML should return undefined.<p>I don't care if normal people can't understand what CSS selectors are. Just hide it in "view technical details" box or something.
While I fully agree with the hacker ethos of this post, a major issue I have with extensions today is that they're hard to trust. Chrome updates them automatically in most cases, which means a malicious update can easily slip by undetected. There are hordes of data companies looking to buy popular extensions or pay their authors to sneak spyware or other trackers in. The risk surface is massive, which is sad because I believe extensions are also one of the best modalities for extending what people can do online.
"Computing is still young, and platforms are changing quickly. Modern browser extensions and smartphone platforms have only been around for about a decade. These platforms will evolve, and there will be new platforms after them, and we will get to collectively decide how open they will be."<p>I really like this final comment. As a non expert in computing, I also often think about how young is this field, and I fantasize about how it will evolve, hopefully towards a more accessible and open ecosistem.
I wanted to build an internal company extension, but for that (chrome) you still need to go through the review process with Google and it is even worse than Apple’s App Store reviews.
I love to build extensions.
Such a nice thing they made website source easy to read and manipulate for your own usage, and can even share your modifications to build an extension.
It is just like your newspaper, you can write on it, cut precies out, etc. You can do with the site what you want for yourself.
The newspaper designed also it how they like, but you can also grap your scissors and pen to change it for yourself.
Back when Facebook was fun i paid 5 dollars to write a cross text extension. Back then i was doing a lot of those jokes where you get a popular saying, strike one word and write another one to make it funny.<p>What was funny to me is the fact the Facebook started to revert my posts when using this. I remember recording a video about it, don't know if i still have it though.
I love browser extensions both as a user and as a hacker.<p>The elephant in the room is browser extensions are not a web standard and Google or Firefox can make a breaking change to you at any time “for security”. Also Chrome can boot you out of the store or ask for 100 point ID check in the future.<p>Extensions are great but a web standard for them would be even better.
I really like your article I agree with your point that extensions are tools for extend current software functionalities and see beyond the creators...
Currently Im working on a Gmail and Outlook extension for email called Mailverse that add superpowers to the current email clients.
Discussed at the time:<p><i>Browser extensions are underrated: the promise of hackable software</i> - <a href="https://news.ycombinator.com/item?id=20556382">https://news.ycombinator.com/item?id=20556382</a> - July 2019 (186 comments)
> Compatibility: Because extensions hook into websites in unsupported ways, updates to websites often result in extensions temporarily breaking, and extension authors scrambling to fix them.<p>Has anyone who's built a browser extension solved this?
I think that metamask is an example of a great add on that proves how great browser extensions are. Also, I think that the most popular browser extensions like metamask will eventually become built into every browser
Do they work on mobile yet, all of them? Without that, it is not so useful for me as real investment of my time to make them; 60% of my screen time I wouldn’t be able to use them.
<i>Qui prodest</i> is the question you must ask when you hear the usual points against, mostly security. It's not that every person that dislike extensions or repeat the same arguments is paid by <i>"them"</i>, but it's a little shocking seeing so many negative opinions in a forum called <i>Hacker News</i>.<p>This comment: <a href="https://news.ycombinator.com/item?id=39251996">https://news.ycombinator.com/item?id=39251996</a> by Retr0id hits the nail in the head. It's not that we cannot modify the software, but there are so many layers of inconvenience... what about modifying and recompiling the browsers themselves? They're so big now. The solution would be extensions. But no. Security.
Tangential: What tooling do you use to develop Extensions. I used React and couldn't find something any testing libraries which works on background and content scripts.
A somewhat-shameless plug here, since I've released this just yesterday:<p>Browser Extension for Hacker News written in Rust WASM:<p><a href="https://github.com/drakerossman/hackernews-userscript">https://github.com/drakerossman/hackernews-userscript</a><p>It has filtering capabilities (filter in title, link, text, or username via regex) and softhide (hide all the items on a page without pulling others from the next page).