this post was submitted on 06 Sep 2023
60 points (100.0% liked)
Technology
37720 readers
446 users here now
A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.
Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.
Subcommunities on Beehaw:
This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I am not quite sure why there are all these bullet points that have very little todo with the actually issue.
I am not sure how Manifest V3 is relevant here? Nothing in Manifest V3 suggests that content_scripts can't access the DOM.
I'd also say this isn't directly the issue. Yes, content_scripts needing an extra permissions to be able to access password input fields would help of course.
Yes... because accessing the DOM and interacting with it is what browser extensions do. If anything, that 12.5% feels low, so I am going to guess it is the combination of accessing the DOM and being able to phone home with that information.
This, to me, feels like the core of the issue right now. The behavior as described always has been part of browser extensions and Manifest V3 didn't change that or made a claim in that direction as far as I know. So that isn't directly relevant right now. I'd also say that firefox is just as much at risk here. Their review process over the years has changed a lot and isn't always as thorough as people tend to think it is.
"A javascript library" is not going to do much against content_scripts of extensions accessing the DOM.
The alert system seems better indeed, but that might as well become browser extension permission.
To be clear, I am not saying that all is fine and there are no risks. I just think that the bullet point summary doesn't really focus on the right things.
Because they literally tout security as one of the primary reasons for forcing it onto people.
https://developer.chrome.com/docs/extensions/mv3/intro/
The first line is “A step in the direction of security, privacy, and performance.”
https://developer.chrome.com/blog/mv2-transition/
“Manifest V3 is more secure, performant, and privacy-preserving than its predecessor.”
It’s the first thing they say.
If it doesn’t prevent a malicious extension from lifting your password in perhaps the most dumb and naive way I can think of, then it seems fairly disingenuous to describe it as “secure”.