The problem:
Chrome extensions frequently request the ability to access any site [1]. Users may either not recognize the significance of that or simply trust the developers to not abuse the power. Developers may not be trustworthy or their extension may be taken over by untrustworthy parties. Once the user is hacked (it only takes one extension!) the “any site” privilege gives access to sites where security is essential, like banking and financial institutions.
Current Protection Measures:
Automated review of extension code
Ability to allowlist allowed sites
Isolation of extension code
Opening sensitive sites in incognito mode
Why they are not enough:
Automated review of extension code
Does not catch everything. Some extensions pass through filter - examples
Ability to allowlist allowed sites
Does not apply to extensions that realistically need access to all sites. For example, https://darkreader.org
Does not apply to extensions that apply to a dynamic, changing set of sites.
Isolation of extension code with access to chrome API’s
Protects extensions from websites but not the other way around
Opening sensitive sites in incognito mode
Effective in terms of security but practically speaking an annoyance
Proposal: A global denylist to limit “any site” access
A global denylist would restrict extension access from all sites listed by the user. It would let a person use a “any site” extension while still being confident that it will not access their personal or financial records in the sites denylisted. It’s simple, straightforward, and a relatively easy addition to Chrome. Once the global denylist is put in place, the concept could be expanded upon further. There could be extension-specific denylists. There could also be a default denylist of the top 10 major financial institutions. For example, Tampermonkey comes with the following defaults in it’s denylist:
*example.org/*
*paypal.tld/*
*stripe.com/*
https://*deutsche-bank-24.tld/*
https://*bankofamerica.tld/*
/^.*:\/\/apis\.google\.com\/((?!render)([^\/]+)\/)+([^\/]+)?$/
*://www.facebook.com/plugins/*
*://platform.twitter.com/widgets/*