Well, I guess they could. But at least its in the rules and people can report. And if it indeed violates the setting, then the addon could be removed from the repository. So there is an incentive for addon developers not to break that “promise”. At least this is the right direction.
Yes, but it’s about the tiniest step they could possibly take. It just officially makes violating “trust me, bro” against the rules, but does absolutely nothing to prevent it, nor allow the user to directly prevent such abuse. Some extensions don’t need Internet access at all, but there’s no (easy) way to stop it from happening. Others only need occasional access for updates, but there’s no user control for whether that’s all they’re doing.
Yes, it also narrows down the number of potential targets for analysis / report. If an extension is not marked “none” then no need to go out of your way to figure out if it does it.
For some extensions it might actually be relatively easy to figure out if they do communicate with an external server that they might not need to, specially considering that the extension format can easily be decompressed, .crx files are just zip files with some javascript and other files inside… they might want to obfuscate the logic, but it’s not impossible to try and unravel things to some extent.
It has been a thing for longer that extensions are not allowed to make connections to the internet, unless it’s actually required for the functionality they advertise. And I believe, they have some rudimentary code scans in place to check for that. Besides that, there’s also their Recommended Extensions program, where they do thorough code reviews for a subset of available extensions.
So I can just declare ‘none’ and happily collect data?
Or is there actually some type of control?
Well, I guess they could. But at least its in the rules and people can report. And if it indeed violates the setting, then the addon could be removed from the repository. So there is an incentive for addon developers not to break that “promise”. At least this is the right direction.
Yes, but it’s about the tiniest step they could possibly take. It just officially makes violating “trust me, bro” against the rules, but does absolutely nothing to prevent it, nor allow the user to directly prevent such abuse. Some extensions don’t need Internet access at all, but there’s no (easy) way to stop it from happening. Others only need occasional access for updates, but there’s no user control for whether that’s all they’re doing.
Yes, it also narrows down the number of potential targets for analysis / report. If an extension is not marked “none” then no need to go out of your way to figure out if it does it.
For some extensions it might actually be relatively easy to figure out if they do communicate with an external server that they might not need to, specially considering that the extension format can easily be decompressed,
.crxfiles are justzipfiles with some javascript and other files inside… they might want to obfuscate the logic, but it’s not impossible to try and unravel things to some extent.It has been a thing for longer that extensions are not allowed to make connections to the internet, unless it’s actually required for the functionality they advertise. And I believe, they have some rudimentary code scans in place to check for that. Besides that, there’s also their Recommended Extensions program, where they do thorough code reviews for a subset of available extensions.