| ▲ | nightpool 5 hours ago | |
> I think most people would interpret “scanning your computer” as breaking out of the confines the browser and gathering information from the computer itself. Yes, but I also think that most people would interpret "Getting a full list of all the Chrome extensions you have installed" as a meaningful escape/violation of the browser's privacy sandbox. The fact that there's no getAllExtensions API is deliberate. The fact that you can work around this with scanning for extension IDs is not something most people know about, and the Chrome developers patched it when it became common. So I don't think describing it as something everybody would expect is totally fine and normal for browsers to allow is correct. | ||
| ▲ | crazygringo an hour ago | parent | next [-] | |
> Yes, but I also think that most people would interpret "Getting a full list of all the Chrome extensions you have installed" as a meaningful escape/violation of the browser's privacy sandbox. I don't think so, because most people understand that extensions necessarily work inside of the sandbox. Accessing your filesystem is a meaningful escape. Accessing extensions means they have identification mechanisms unfortunately exposed inside the sandbox. No escape needed. It's extremely unfortunate that the sandbox exposes this in some way. Microsoft should be sued, but browsers should also figure out how to mitigate revealing installed extensions. | ||
| ▲ | haswell 5 hours ago | parent | prev [-] | |
> I also think that most people would interpret "Getting a full list of all the Chrome extensions you have installed" as a meaningful escape/violation of the browser's privacy sandbox I think that’s a far more reasonable framing of the issue. > I don't think describing it as something everybody would expect is totally fine and normal for browsers to allow is correct. I agree that most people would not expect their extensions to be visible. I agree that browsers shouldn’t allow this. I, and most privacy/security focused people I know have been sounding the alarm about Chrome itself as unsafe if you care about privacy for awhile now. This is still a drastically different thing than what the title implies. | ||