Browser extensions being enabled for all webpages by default is bad practice for security and privacy. Often the user only wants to use the extension on specific webpages. For example, if I have a video downloader extension, chances are that I only want to use that extension on the page with the specific video I want to download.
Extensions should be disabled by default upon install. If the user wants to use the extension, the user should be able to click on the extension to active it for this specific page for one time only. None of the major browsers are capable of this (so far as I'm aware), so I always have to remember to disable an extension when I'm done using it.
Steps have been taken toward making this the norm in Chrome but it’s not clear yet to what degree it will be enforced. Already user can chose on install or at a later time to limit the domains an extension is active on (no matter what permissions it requests) and the ‘declarative’ model for interactions (wake on invocation by user or declare rules/lists to be applied on your behalf by the browser itself) is heavily promoted.
My extension is intended to work from any site (Browser Routr). I could dynamically update the extension manifest from its complimentary native app, but that creates races with the extension update process. And for many extension the concerns are cross cutting. For example I want dark style overrides everywhere.
Chrome has this functionality, other Chromium-based browsers most likely as well. But how many users would actually manage access lists for extensions?
I will test out Chrome - thanks. Yet I was hopeful there'd be other choices.
I believe more than one user would actually manage access lists for extensions but you have asked a really loaded question given that browser users are not being given the choice here.
If the dominant web browser wasn't an ad company, browser extensions would not exist in the way they do today. Because any responsible security engineer would nuke browser extensions from orbit, but currently everyone who isn't an ad company has to maintain feature parity with the ad company for competitive reasons.
They are by far the most risky thing one could possibly put on a PC. They essentially remove any alleged benefit to HTTPS/encryption or anything of the sort, because they live inside your web browser and have post-decryption access, often to every website you visit and everything you enter into them.
Do not use browser extensions. Ask your IT person to restrict the ability to install browser extensions.
Huh? From my point of view extensions like uBlock Origin and 1PasswordX further enhance and secure my browsing, with uBO I'm blocking ads and trackers (including malicious ones) and with 1Pass I get secure form fill.
Novelty extensions are a completely different story but I wouldn't go so far as to ban all extensions ever.
I would say any feature worth building as an extension should be a browser feature (like Edge and Firefox have brought ad/tracker blocking). An extension or two for critical functionality is fine if you really, really trust the source, but the default should be hostile to extensions.
But how would you differentiate between useful and gimmicky extensions? If you give users freedom, it always comes with a risk. For the average user, a system like Safari on iOS might be the best solution while more advanced users should have the option to install whatever they like.
I’m not familiar with Chrome/Firefox extensions, but for Safari Web Extensions you can indeed restrict extensions. [0]
Edit: Looks like this feature is present in Chrome/Firefox extensions as well but for all these platforms (Safari included I think), this needs to be implemented in the code itself[1]
