Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

We need a browser project whose explicitly stated goal is to act as the user's agent. No, Mozilla's "open internet" nonsense doesn't cut it anymore. There's no point in an open internet if every web browser acts against its users.

Every decision taken by the browser developers should only keep in mind the requirements of the users. You want to play DRM content? Sure, we will get that certification but also provide extension APIs that let you save the stream to your disk.

You want to block ads? Sure we will let you load an extension that will do that. No store, no signing, no crap.



> we will get that certification but also provide extension APIs that let you save the stream to your disk.

That means they will not get the right certification for DRM. The main reason behind them is to prevent saving the stream.


You want to install a third-party keylogger? Sure, we'll let you ship your own password to a dark web clearinghouse...


There used to be a saying, "You can't fix stupid". You can't protect a sufficiently motivated user from destructive action, you can only give them hints that what they are doing is probably unwise.

"Hey, it looks like this extension is doing inappropriate things with your passwords. Would you like to uninstall it?"


An online password manager does the first part of that. What happens to passwords is a matter of trust in those companies and into their security.


Users can reasonably expect an online password manager to exfiltrate their passwords, and if that's what they want they can install one.

The problem with the v2 manifest `chrome.tabs.executeScript` API is that it allows any extension that uses that API to become an undocumented password exfiltrator without any changes to the Chrome extension itself. The new API in manifest v3, in contrast, requires that if, say, my clock extension suddenly became a keylogger, the script that did that would show up in the extension.

The API change is to make it possible for Google to have any hope of vetting extensions in the Chrome Web Store by controlling how their behavior can mutate after Google has signed off on them for inclusion in the store.


Yeah, if the user wants that, why not?


Because the set of users who actually want that is dwarfed by the set of users who got tricked into installing that keylogger.


Those users can continue using their coddling browsers on their coddling operating systems.


Most people are not technology professionals and enthusiasts like this forum is. Should normal people be forced to put their life savings on the line because they didn't understand the difference between Manifest V2/V3?


Again, "normal" people are welcome to continue using the browsers they're currently using.


Correct.

... That browser is Chrome. Chrome's massive install base means it is the browser of choice for people who need a coddling browser.

Much as with Windows becoming the dominant operating system resulting in Microsoft having to deal with botnets fabricated from thousands of compromised machines via forced security updates, the dominant system becomes heavily incentivized to protect the least capable users from their own bad decisions.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: