Browser extensions being enabled for all webpages by default is bad practice for security and privacy. Often the user only wants to use the extension on specific webpages. For example, if I have a video downloader extension, chances are that I only want to use that extension on the page with the specific video I want to download.
Extensions should be disabled by default upon install. If the user wants to use the extension, the user should be able to click on the extension to active it for this specific page for one time only. None of the major browsers are capable of this (so far as I'm aware), so I always have to remember to disable an extension when I'm done using it.
Steps have been taken toward making this the norm in Chrome but it’s not clear yet to what degree it will be enforced. Already user can chose on install or at a later time to limit the domains an extension is active on (no matter what permissions it requests) and the ‘declarative’ model for interactions (wake on invocation by user or declare rules/lists to be applied on your behalf by the browser itself) is heavily promoted.
My extension is intended to work from any site (Browser Routr). I could dynamically update the extension manifest from its complimentary native app, but that creates races with the extension update process. And for many extension the concerns are cross cutting. For example I want dark style overrides everywhere.
Extensions should be disabled by default upon install. If the user wants to use the extension, the user should be able to click on the extension to active it for this specific page for one time only. None of the major browsers are capable of this (so far as I'm aware), so I always have to remember to disable an extension when I'm done using it.