I wish this was a feature of Firefox (or Chrome, as if Google would ever), rather than a third-party extension, so that it had enough adoption to compel other browsers to care too. I'd like very much to authorize certain extensions to only make GET requests to specific static URLs without any ability to vary the headers, so that they can get data updates without there being any risk of leaking data. And for others, they don't need network access at all to do their job locally in my browser instance. But that would be circumventable (since anything that can modify page source can add data transmission), so I imagine they aren't doing it because of that. Too bad — better to try than just give up and cede it to a Chrome extension.
(this is also a great way to figure out what you need to do for a user-chrome CSS file, e.g. if you want to change how tabs appear beyond just theming. though using a user-chrome CSS file is unfortunately a minor pain in the ass.)
I had to switch it to "multi-process mode" to get network requests from extensions to show up, but that broadly makes sense.
A get request can leak data via the request path or querystring parameters, if that was restricted you could setup communication which time or frequency imply activity with a morse code like protocol (and with enough requests, easily transfer megabytes of data).
You can just do whatever the modern equivalent of document.trackingPixel.src = 'leak all your data here in a single request', since extensions can modify content blocking. Firefox should ask for, accept, and audit a statement of whether your extension needs to make dynamic network calls or not, and why it needs to do so. Yes, you could lie — but then you'd get caught lying, in violation of, kicked off the store, etc. Today, you can just add tracking, and no one can take any useful action as a result.
100% agree. I think extensions are an odd place to start, but this is the exact reason I avoid browser extensions unless I’ve explicitly audited them (and still don’t like they auto update without permission).
I'd say any extension that's making an http request that isn't just repeating URLs that are already in the page should show a toast notification with the request body prettified into legibility.
A well made extension will only pop up an occasional toast. One that needs the server to work will show the toast when the user expects it to be talking to the server. One sending keypresses or other suspicious data will be really obvious.
IIRC extensions cannot access any URL that hasn't been specified in the manifests permission section. I think Firefox shows those URLs in the permission prompt. Those URLs can contain wildcards though and I even think there is a special value for all URLs but only few extensions should require that permission.
For extensions that modify page data, is that prompt still shown? My understanding was that once you have the 'modify page data' permission, you're no longer required to present URLs in the permission prompt at all — but I'd be thrilled to be wrong, if that's changed!
I think browser makers don't offer this because any protection put in place would be easy to work around.
For example, even if the extension itself can't make requests, there are plenty of ways to 'trick' a webpage into making a request on your behalf when you have permissions to modify the Dom of the web page.
