FR: Shields UP on Extensions - protect from spying / malicious extensions

privacy

#1

I :heart: Brave and how it protects my privacy but extensions are big security hole.

Can we extend the Brave Shields UP concept to requests from extension background scripts?

Users could view the tracking that their favorite extension does and could then actively choose Shields DOWN on that extension if they still wanted it and if the extension wouldn’t work without violating the user’s privacy.

Even back with Muon I noticed one of the approved extensions sent detected Facebook login information and a Google Analytics cookie back to their servers but now that the entire chrome web store is allowed (A GOOD THING) this opens up a blatantly open back door.


#2

I saw you commented on the GitHub issue too; nice. I’m definitely in favor of giving people more control over what their extensions do. Integrating this in a usable way is a little convoluted — there are a lot of ways that this can break extensions, and it’s important that it’s possible to un-break things in the same places they discover the breakage. I want to do it, but it’s “future work” territory right now.


#3

Yes, maybe someone here will have some creative ideas. I poked around in the code a bit and might try to give an implementation if I can get a free weekend.

One thing I suggested in GitHub was that maybe it’s enough just to show a log of the violations and let the user decide.

I pointed out that users have a handful of known extensions installed so we might think of it as a different problem to hitting millions of random websites running random code where webmasters don’t always even know what they are including while letting other 3rd party scripts blindly run in the browsers of their users. [a crime IMHO] :wink: