Sideloaded Extensions Warning

So I’ve recently been part of a conversation on GitHub about the warning regarding third party extensions being loaded in Brave, and in termination of that discussion development staff (or perhaps not staff, I’m not sure) made a good point I hadn’t considered. That any option added by Brave to allow an advanced user to elect not to get such a warning could be manipulated by a malicious extension in order to prevent that warning from ever being displayed, and doing its job. And that’s a great point.

I still think that the warning, as currently implemented is basically nagware. I understand the importance of alerting users to possibly malicious extensions being loaded, but is it necessary to do so on every session? Maybe first load of the day? Or whenever extensions change? If a malicious extension could start by disabling the option to see those warnings if it existed, then could it not close the alert that pops up as well? Maybe something that both cannot be dismissed at all, and which doesn’t get in the way of function would be viable? Like a red box in the title bar warning of third party extensions, that gets a flyout if you hover over it? Something that could not be suppressed even by an advanced user who knows what they’re doing, because there is no control no option to manipulate it, not for malicious code, and not for the user? I would think that even more secure but also less intrusive than the current option. Maybe just an undismissable red-backgrounded browser tab with more detail about the problem on it, and maybe a list of currently-sideloaded extensions?


Hey there!

I know this has been a hot topic - there have been at least 3 or 4 heated issues on GitHub with likely near a hundred comments

This warning is NOT present in our Developer and Nightly channels. For folks not wanting to see that warning, I’d recommend using those. Developer channel (0.68.x) is where we modified the config used which controls which experiments are turned on/off. Besides fixing this, it fixes a whole lot more (entire URL now shows, instead of hiding protocol and www, etc)

The only current issue captured now is to re-enable that experience. So at some point, it’ll be coming back. 0.68.x is set to be released August 20th… so that is when you’ll have the “no nag about side-loaded extensions” available on release channel. If you’re not willing to use Developer or Nightly, there’s not much to do except wait

As for adding the warning back in, @toml has been the point of contact for that issue. It would be an understatement to say that he understands the point you all are raising. But if malware were able to modify this setting, that would make it a useless check

There are a few options:

  1. Use Developer or Nightly and follow 0.68.x as it moves towards release (August 20)
  2. We may explore a “Developer” centric version of Brave. This version could enable (or disable) flags that regular end-users don’t use. I don’t think we have enough features to warrant this and the priority on us grabbing this is fairly low (versus fixing a lot of the open issues we already have). We could use input about what else this potential version may include
  3. You can grab the code, compile it yourself, and turn the flag off. This should work just fine- Widevine won’t work and extensions like 1Password which require a browser signature won’t work either. But if you don’t care about those, that’s a fairly easy solution
  4. Use another browser until August 20th. If we re-enable the nag, then use another browser until we offer a developer version (option 2)

Thanks for the feedback- it’s something we’ve had no shortage of. The above options are the only choices we have for now unless something fundamentally changes in Chromium

Brian