| ▲ | adrianwaj 2 days ago |
| There was a recent comment: "if you don't know: any browser extension can read input/password fields across all site(s) you gave it access to (yeah, it's crazy but unfortunately true)." https://news.ycombinator.com/item?id=47553048 Would either WF or LW fix that? Is it true? |
|
| ▲ | MrAlex94 2 days ago | parent [-] |
| Nothing to "fix" per se - webextensions need to interact with website data, otherwise they wouldn't be much use. Any extension with content script access can read page content including form fields. The only real mitigation is being selective about which extensions you install and what permissions you grant them (even then, ownership of extensions change hands, updates can change what they do... it's a never ending battle really). |
| |
| ▲ | mrWiz 2 days ago | parent | next [-] | | My naive fix would be to disable extensions from accessing form field data without explicit approval. Hell, add different approval boxes for read, write, and hidden-text. What am I missing? | | |
| ▲ | Matumio 2 days ago | parent [-] | | Say you have an ad-blocker and you don't allow it to touch your forms. Five years later, the ads have moved all into form fields. Never mind the technical challenge to allow doing anything with the DOM but disallow reading the forms. Like, prevent the forms leaking its text when you do funny things like testing character width via line breaking or font changes. |
| |
| ▲ | adrianwaj a day ago | parent | prev [-] | | Sounds like the answer is just not to install any extensions. But there are a few browsers out there including DDG and Midori v9.0 & older (Classic) that disable them altogether. Maybe GNOME web is the answer. Thanks. |
|
