So I’ve recently been part of a conversation on GitHub about the warning regarding third party extensions being loaded in Brave, and in termination of that discussion development staff (or perhaps not staff, I’m not sure) made a good point I hadn’t considered. That any option added by Brave to allow an advanced user to elect not to get such a warning could be manipulated by a malicious extension in order to prevent that warning from ever being displayed, and doing its job. And that’s a great point.
I still think that the warning, as currently implemented is basically nagware. I understand the importance of alerting users to possibly malicious extensions being loaded, but is it necessary to do so on every session? Maybe first load of the day? Or whenever extensions change? If a malicious extension could start by disabling the option to see those warnings if it existed, then could it not close the alert that pops up as well? Maybe something that both cannot be dismissed at all, and which doesn’t get in the way of function would be viable? Like a red box in the title bar warning of third party extensions, that gets a flyout if you hover over it? Something that could not be suppressed even by an advanced user who knows what they’re doing, because there is no control no option to manipulate it, not for malicious code, and not for the user? I would think that even more secure but also less intrusive than the current option. Maybe just an undismissable red-backgrounded browser tab with more detail about the problem on it, and maybe a list of currently-sideloaded extensions?