Took me three clicks to view the source code. Have you looked at it? Bloody hell. It's a CSS file. All the hard work is in finding the problem. Which this man has done for you.
In the time it took you guys to comment you could have written the user style yourself after looking at the source code.
I cannot believe the degree of cargo culting that goes on on this website around security.
You're right about me being a security nut. But I don't think it is unwarranted to be paranoid about letting an extension have those permissions. Especially when the extension can auto update without my permission. There's no way for me to stop the extension from updating in the options.
You viewed the source code, but the extension checks for an update every couple hours and updates itself. You might trust the developer to not do anything bad, or not accidentally leak his private key for the extension. The only way to stop it from updating itself is to go to the manifest file and removing the update url.
I'm tired of the anti-security comments that come up against people commenting about bad security practices, even though they're restrictive and paranoid. This is the case when you need to be paranoid. A quick google search give me this[1]
Ever let someone's code have access to everything on every webpage, including all of your financial and personal ones you use? Well you're doing it right now. The only way I'd be okay with letting extensions access and change contents of webpages if they specify the website url they're going to access, and those are the only websites they can access (Reddit Enhancement Suite does this)
I appreciate the developer's time on this and don't mean to disparage their effort. But, how many developers are you going to keep trusting this way? You can't normalize every extension having those permissions! Read and change, not just read all websites.
You know enough to look for the source and check it out. But what about the users who don't know how to do so or can't read code? Even if they can, can they discern malicious code from harmless code? Will you say the same thing you said to me to a user with no understanding of how these things work?
I'd actually love to know how you got to the source code in three clicks. Wish it was that easy to view an extension's source other than digging through the chrome internal data folders.
And I don't think cargo culting is the correct term, or bike shedding. I'd say something to do with tin foil hats would be more appropriate.
Looks like this is something browser vendors should incorporate? One would think that because WebKit is free and open source it should be possible to have this fix evaluated for everyone built into Safari and chrome by default.
"Bike-shedding" may be a more fitting term for what you are complaining about. Cargo-culting would be almost the opposite in my mind; e.g. people mindlessly copying a pile of magic CSS they don't understand.
Anyway, I guess I'm just another security grump, but knowing it's a single simple CSS property only makes me feel further justified that "Read and change all your data on the websites you visit" is unacceptable. I don't think that's restricted to security nerds on HN either -- there are probably would-be users who can't find a CSS file on Github and translate it into a user style, who will also not install the extension, if that's what Chome tells them it "requires." I don't know if that's purely Chrome's fault for not having an extension architecture capable of requesting less scary permissions to get this job done, or if the developer could do better too.
About the permissions, the developer said it was the minimum permission setting they had to give the extension. You can see someone replying to a user's comment on the extension's review page.
I can't say it's chrome's fault in this case. The extension is effectively acting on every single web page, even though it's just CSS.
Really? You can't believe people in a technical community, in 2017, are worried about security? That's actually hard for you to believe? That people who talk about VPNs and data breaches and Edward Snowden and Aaron Swartz, you can't believe that people here are concerned about security?
In the time it took you guys to comment you could have written the user style yourself after looking at the source code.
I cannot believe the degree of cargo culting that goes on on this website around security.