Ask HN: Why can't Chrome block extensions by default on .gov and bank websites?
And only enable them when you click on the extension or allow it on a specific domain?
Or at least have a policy to not allow all extensions on all domains by default as user selectable option in Chrome settings? You might be seeing the problem as much simpler than it is. Have a think: * Only US gov websites, and not every country's equivalent? * And only on their country's specific TLD, because some countries do have official government sites using .com or non government TLDs! * And which banks? Only banks? Why not other financial institutions? * Where would such a list be stored and maintained? Who would be the arbiter? * How do renames and rebrands and defuncts get handled? * How do you prevent malicious third parties getting onto the "no extensions" register? Just listing these questions out, I can see the problem spiralling very quickly. It could be stated simpler as, why can't my browser allow me to disable extensions for specific domains of my choosing? To which the answer will probably be, because that's another potential attack vector. A victim could be told to permanently disable extensions for a specific malicious domain. So if I wanted this feature I might choose to approach individual extension developers and ask them if they'd be willing to disable the extension based on a specific list of domains. Again I think security concerns would make them say no but that's the narrowest 'scope' that you could ask for. Google actually has a list of websites categorized as banks and financial institutions. Yes it does not cover every single case but that's a start. Extensions are not malicious by default, but some developers are selling well known extensions to bad actors (unknowingly) who can change things. In most cases you only need the extension to inject their scripts only in certain websites, not all. Right now Chrome provides an option in each extension's settings "Allow this extension to read and change all your data on websites you visit:" with an option to allow only when you click on the extension. That config can easily be applied to every extension in Chrome's settings IF that was an option and add any extension to allow list by default on specific sites where you need. Currently during extension install when the extension needs access to the all websites where you want to use it there is no option to select which website you want to allow it to be used on (the extension developer does not know where you want to use it so they make it to allow on all websites). Not to mention, the whole domain name hierarchy didn't really gain adoption, so there are tons of official government sites that are at .com or .org. In my case, the city assessor's office, to which I pay thousands of dollars in property tax to, is at cityname-assessor.org. What’s the problem you’re trying to solve? Solve the issue of untrusted add-ons taking advantage of ill-gotten privileges to steal user information, by offering a different dimension of security than has been previously available? So on the one hand, why wouldn’t this also cover, say, webmail sites? On the other hand, how does preventing me from using an extension when finding out when my bins are going to get emptied over Xmas protect me?