Browser extensions are underrated: the promise of hackable software

320 点作者 gklitt将近 6 年前

28 条评论

zmmmmm将近 6 年前

> The modern browser extension API has done a good job balancing extensibility with securityNo, it hasn't. Almost every single extension I install tells me some variant of "This extension can intercept and modify all of your browsing traffic". That's not "well balanced", it's completely broken. This is happening clearly for extensions by well intentioned people that do not need those permissions. I can't help but cynically interpret the current situation as intentional on Google's part because having the security model be "trust Google to vet the extensions" happens to centralise all the power with them. If you can't trust an extension from the wild then they might as well not exist, right?People laughed Java out of the browser because it took 500ms to start, but at least it had an actual security model.

评论 #20561735 未加载

评论 #20561480 未加载

评论 #20563177 未加载

评论 #20563695 未加载

评论 #20561748 未加载

评论 #20562329 未加载

idoubtit将近 6 年前

I believe many people should attempt to create their own web extension, even if they don't publish it.In my younger years, I used to crack and hack software just for fun. Those were my Softice years. Later, when Opera was not Chromium based, I also had several site customisations, since it was very easy to add my own JS and CSS to any web site.Nowadays, I have 4 extensions created and tailored for my needs. One that deals with cookies (mostly "delete everything" outside of my white list) and three that add functionalities to specific sites (automating, managing lists, hiding or highlighting content, etc). Building them was fun, though not as much fun as playing against "copy protections" long ago: like going from competitive chess to creative DIY.The only pain with custom made extensions is that Firefox is very reluctant to load them. I don't want to upload them them on some Mozilla server, so I have to enter some cryptic "about:..." URL, then click and navigate to my extension, for every extension at every browser start. This is one of the main reasons I'm using more Vivaldi than Firefox these past months.

评论 #20559238 未加载

评论 #20559008 未加载

评论 #20558954 未加载

评论 #20558060 未加载

评论 #20557656 未加载

评论 #20557617 未加载

评论 #20564902 未加载

评论 #20561328 未加载

gnicholas将近 6 年前

Browser extensions are also really important for accessibility. People with many kinds of disabilities use extensions to make websites more readable, easier to navigate, or more accessible in other ways.Unfortunately, the big mobile browsers do not support extensions, which is a huge blow to accessibility. I think Firefox for Android is the only mainstream-ish browser that supports extensions. Apple prevents them from doing the same on iOS because it would be considered "an app store within an app", which is forbidden.The only thing Apple allows is action and share extensions, which have to be manually activated on every single page (2-3 taps to do so — which is super user-unfriendly, esp. for PWD). It's great that Apple does a lot for accessibility in general, but I really wish they would open things up a bit more so that users could customize the iOS experience to make it more accessible.As a dev, I would be more than happy to have my code scrutinized even further in order to ensure that what we're doing doesn't create security, privacy, or performance issues. We'd just like to make our accessibility software as useful for folks on mobile as it is on desktop!

评论 #20558549 未加载

ignoramous将近 6 年前

Extensions can be uninstalled, revoked, disabled at will. Can't really bend BigTech to do your biding, and that trumps whatever the security argument brings to the table, imo. Extensions should be done in a security friendly way [0], and not the other way around of making software secure by disabling all extensibility [1].Take the example of the Android ecosystem: If plugins were allowed for apps, pretty sure there'd be a better story around privacy today. An astonishing 40% of connections from an Oppo/Vivo or Xiaomi phones are to ad networks and trackers. And there's nothing you could do (without root) except to firewall it (apps have started working around pi-hole esque setups). XposedMod has brought plugin based development to Android [2], but it is niche and requires not just root, but replacing key framework components. Using it might still be worth it, though, given the relentlessness of OEMs and carriers.And that's just sad.[0] One way to tackle the problem of developers selling away rights to their extensions is to legally make it binding to publicly declare whenever ownership changes hands. Disable extensions across all installs, and let the users enable after the fact is made obvious to them.[1] <a href="https://www.eff.org/deeplinks/2019/06/adversarial-interoperability-reviving-elegant-weapon-more-civilized-age-slay" rel="nofollow">https://www.eff.org/deeplinks/2019/06/adversarial-interopera...</a>[2] <a href="https://www.xda-developers.com/best-xposed-modules/" rel="nofollow">https://www.xda-developers.com/best-xposed-modules/</a>

评论 #20561226 未加载

评论 #20559245 未加载

burtonator将近 6 年前

Extensions are awesome but I think this article is a bit too optimistic. I mean I share the optimism but in practice a major challenge is the platform.Chrome for example has a ton of limitations:<a href="https://getpolarized.io/2019/04/05/Google-Will-Kill-Chrome-Extension-Innovation.html" rel="nofollow">https://getpolarized.io/2019/04/05/Google-Will-Kill-Chrome-E...</a>If you want to do anything significant you have to get their 'permission' and at that point they throttle your extension release updates.You can't just push an update immediately that gets sent out. They take a week to approve your extension.This might sound reasonable until you realize that a week is an eternity for a continuous development shop. That might as well be a year.ESPECIALLY if something is broken.Imagine if you had a bug that destroys data and you need to rush out a fix. Nope.. You need to wait one week for that to go out.

评论 #20557646 未加载

评论 #20559991 未加载

评论 #20559516 未加载

评论 #20557339 未加载

评论 #20557278 未加载

评论 #20559153 未加载

评论 #20558174 未加载

seanwilson将近 6 年前

I launched my side project (<a href="https://www.checkbot.io/" rel="nofollow">https://www.checkbot.io/</a>, a website best practices checker) as a paid Chrome extension and have been happy with the experience so far. The browser extension platform lets me easily support Linux, Chrome OS, Mac and Windows, with automatic updates and small installation size (~1MB). I get traffic from people discovering the extension via the Chrome store, and users can install and launch the app in seconds which lowers onboarding friction.Compared to native apps, I think browser extension based apps reduce a lot of headaches for developers and users.

评论 #20557531 未加载

_trampeltier将近 6 年前

Not just browser extensions. I miss an API in all kind of software we use at work.No wonder the half of the companys in this world run on excel.

评论 #20559555 未加载

评论 #20560031 未加载

Endy将近 6 年前

Browser extensions are being underrated deliberately by browser developers. Ever since we lost XUL Firefox, anyone who wants to really do anything worth doing around a web browser should have already switched to Pale Moon. Doubly so with Google's Manifest v3, which is going to kill selective content download management.

评论 #20557485 未加载

andrenth将近 6 年前

Next (<a href="https://github.com/atlas-engineer/next" rel="nofollow">https://github.com/atlas-engineer/next</a>) might be a truly hackable browser.

评论 #20558276 未加载

ohazi将近 6 年前

I don't agree with the author. He pays lip service to security being important, but then proceeds to ignore the threat because he thinks extensions are great. I think people should be more hesitant to install a browser extension than just about any other piece of software.The threat is absolutely real. Bad actors regularly offer large paydays to lone developers with popular extensions so they can roll out an update that quietly adds a backdoor.There's at least some publicly documented evidence that Raymond Hill (uBlock Origin) isn't likely to cave to this sort of pressure, but do you really believe that none of the other authors of your fifteen favorite extensions would look the other way for $100k?Keep in mind that these offers don't look like "Here's some money, please let us roll out an evil update to your extension." They look like "Our company has a product with a similar name. We love your extension and would like to offer to acquire it from you so that we can use the name. We'll even let you keep the rights to your software so that you can re-release it under a different name if you'd like!" They'll make it really easy for the developer to remain in denial about what they're actually facilitating.

评论 #20558158 未加载

评论 #20558508 未加载

评论 #20558220 未加载

评论 #20558127 未加载

评论 #20558323 未加载

评论 #20558477 未加载

评论 #20558756 未加载

评论 #20558226 未加载

评论 #20558374 未加载

mikekchar将近 6 年前

Here's an opinion that is likely to be controversial: I like Gnome Shell for exactly the same reason. To be fair, it's something like 7 years since I used it, so maybe things have changed a lot. I ended up abandoning it because I don't like Gnome in general (I want something significantly more light weight). But I loved the idea that I could completely change the way my window manager worked by writing a surprisingly small amount of JS. Not only that, but it had (I hope still has) hooks into mutter, so you could do anything you want to the compositter as well. For example, one of the things I did was to have windows that zoomed the contents when I resized them rather than increasing the size of area in the window -- I did it because I have terrible vision and virtually every time I want a bigger window it's because I want it magnified.I just noticed Xlambda which was featured very recently on HN: <a href="https://news.ycombinator.com/item?id=20316920" rel="nofollow">https://news.ycombinator.com/item?id=20316920</a> I wonder if there is compositor I could talk to as well... compton doesn't do the kinds of things I want to do...

ocdtrekkie将近 6 年前

On the contrary: Browser extensions are horribly overrated. They're a massive security problem (the number one place malware is found on a computer) often for the benefit of replacing the word "cloud" with "butt". They are rarely adequately audited or restricted and have far more access to private data than anyone generally realizes.

评论 #20559950 未加载

评论 #20560062 未加载

评论 #20567533 未加载

评论 #20561797 未加载

simon_weber将近 6 年前

Browser extensions are an important part of my small business since there are some things I can't reasonably do without them. <a href="https://autoplaylists.simon.codes" rel="nofollow">https://autoplaylists.simon.codes</a> is a good example: Google Music just doesn't make some metadata available over their OAuth apis.I understand the broader extension security situation is pretty atrocious, but I like to think there's some small improvement from url-limited extensions like mine (that would otherwise exist as scripts that ask for plaintext credentials).

saurik将近 6 年前

I gave a highly related talk in 2010 called "Even Software Should Have Screws" at TEDxAmericanRiviera, based on my background working in the iOS jailbreaking community, where I maintained a software ecosystem similar to browser extensions, but for apps and system software.<a href="https://youtu.be/ReKCp9K_Jqw" rel="nofollow">https://youtu.be/ReKCp9K_Jqw</a>

ggggtez将近 6 年前

> personally use Chrome extensions that fill in my passwords, help me read Japanese kanji, simplify the visual design of Gmail, let me highlight and annotate articles, save articles for later reading, play videos at 2x speed, and of course, block ads.So, autofill, autotranslate, HTML-only mode in gmail, (?), literally just bookmark it, any html5 video player, and of course, block ads (which most browsers seem to be moving to do by default). These are all either offered by the browser by default, or will be (though firefox seems more interested in adblocking than chrome right now).Obviously they may not do it the same, but as someone who is suggesting addons offer a lot of power, the writer is not actually using most of that power. I kind of agree with browser developers that more often than not, extensions just offer a new vector for malware and no one really understands what power they have so they make bad choices.

ggurgone将近 6 年前

Shameless self-promo – I built Refined Twitter Lite which customizes the new Twitter introducing features like Single Column layout.I primarily built it for myself but maybe some of you folks might find it useful too <a href="https://chrome.google.com/webstore/detail/refined-twitter-lite/adhbafkkfbonbogdlaebnoegpoogngcc?hl=en" rel="nofollow">https://chrome.google.com/webstore/detail/refined-twitter-li...</a>It is open source of course <a href="https://github.com/giuseppeg/refined-twitter-lite" rel="nofollow">https://github.com/giuseppeg/refined-twitter-lite</a>

falsedan将近 6 年前

We won an internal hackathon by writing the API and no front end, using a browser extension instead to manifest the client on the third-party page we couldn’t get API access to in time. It sure was easy to write.

anantdgoel将近 6 年前

We recently launched a browser extension (<a href="https://www.getnobias.com/" rel="nofollow">https://www.getnobias.com/</a>) and have been happy with the use cases we've been able to build around existing websites. Much easier than convincing news publishers to integrate our products directly into their websites. Users get to choose their experience.

stevefan1999将近 6 年前

I was involved into developing a simple app for WebExtension. Not gonna lie, the experience is awful, for example, no IPC support, being way too complicated in terms of API design and that really hateful manifest schema file which echoes the horror of Android API permission XML. I give up at some point, but I could provide the source code if I could get a chance to recover my files.

评论 #20562647 未加载

modzu将近 6 年前

here's a shameless link to my small batch of extensions, hopefully some find useful. all open source of course!<a href="https://addons.mozilla.org/en-US/firefox/user/13170802" rel="nofollow">https://addons.mozilla.org/en-US/firefox/user/13170802</a>

0xDEFC0DE将近 6 年前

Anyone with a foot/feet in pentesting/appsec feel that there could be a good omni extension that encompasses cookie editing, header editing, local storage, proxy toggle, and has other potential features?

Arkdy将近 6 年前

I love that extensions turn the idea of browser differences into a strength.It's a reminder that the websites you make don't just go into a black box, they have to co-exist with individual user preferences/needs.

miguelmota将近 6 年前

Sometimes popular abandoned browser extensions get bought up by malicious actors that inject malware into your browser without you ever knowing because extensions get automatically updated.

评论 #20560928 未加载

dman将近 6 年前

I would really like a browser which attempted to be extensible the way emacs is. No modern browser appears committed to extensibility as a key feature / differentiator.

评论 #20559684 未加载

评论 #20560294 未加载

calmchaos将近 6 年前

Check out some kickass WebExtensions by Nodetics: <a href="https://nodetics.com" rel="nofollow">https://nodetics.com</a>

edgarvaldes将近 6 年前

I would say that maybe they are underused or not well known by the general public, but not underrated.

ardani将近 6 年前

Hacking extensions are underrated, your browser software is unbrowseable.

DiseasedBadger将近 6 年前

I haven't cared since XUL died, and I don't imagined I will. New extensions are just webpages.I can already make webpages.