alt Hacker NewsCan extensions:
be scoped, meaning only allowed to read/access when you visit a particular domain whitelist (controlled by the user)?
be forced (by the extension API) to have a clear non-obfuscated feed of whatever they send that the user can log and/or tap onto and watch at any time?
If not, I wouldn't touch them with a 10000ft pole.
> be scoped
Yes. Not usually user-controllable though.
> be forced to have a clear non-obfuscated feed
Kinda. You can usually open a devtools instance that shows whatever the extension is doing. But you can’t enforce it to not obfuscate the network requests though (you’d have to make extensions non-Turing complete).
You could mitigate some of these issues by vetting the extensions harder before letting them into the stores. Mozilla requires all extensions to have a readable source code, for example.