Brave Extension Store

[bsclifton]

Description

Currently, Brave is relying on the Chrome Web Store. This is working well and to the best of our knowledge, we have the same policies for loading extensions as Chrome/Chromium (please file an issue if not!).

There are a few reasons we might want to host our own extension store:

1. We may want to spotlight specific extensions (extensions recommended by staff, etc)
2. As Manifest v3 is approaching, we may need to stand up a store out of necessity. Brave has taken a public stance against a full move to Manifest v3 (click here for source). As this shapes up in Chrome/Chromium, we'll need to evaluate what changes will be needed - which may include continuing to host some v2 extensions (per article link, we'd want uBlock Origin and uMatrix).

Miscellaneous Information:

See #28 for a previous version of this issue. We did some initial investigation work which is linked there 😄

[NumDeP]

Regarding the part of it working well to the best of your knowledge, more than a couple of times now I've been forced to remove an extension because a short notice appeared implying the they might have malware, out of fear I thought bugger it I wouldn't be able to tell if something malicious was happening behind the scenes. One of the extension I hadn't used in a while and I think the others were related to tab management, it must have been Great Suspender which reduce memory. Avoiding screws ups like this will be appreciated.

It would be good if you took the best parts Mozilla's Firefox Store and Google's Chrome Store in terms of UX and brought it into Brave's Webstore. If this mean we're/you're going to have to communicate with every extension developer about additionally pushing their solutions and future updates into Brave's future store, enticing them with BATs may be a good idea. I always thought Brave should figure out a way to pay extension developers as so many of them don't receive the credit they deserve.

Questions -

• Would having an extension that is creating hype and I'm not speaking in a positive tone here, force you to remove it even though there's nothing malicious about the solution and if not yourselves, be forced to because of your use of AWS? You'll likely use AWS and if anything like the sort did happen, something tells me they wouldn't just shut down the extensions portal but every other part of your service as well.

• Even though Shields and BAT are displayed in the URL bar and aren't downloaded like you typical extension, they're still technically extension, right, i.e they use memory are constantly active behind the scene. Wouldn't this cause issues in terms of security. It just seems odd to me that if one were to use Brave's proprietary extensions, Tor, WebTorrent, BAT and other private ones, it just seems like an area where someone can think of something dodgy to do if you know what I mean. I guess what I'm trying to say is Brave still hasn't managed to fix the issue/concerns surrounding private tabs and though it's not a huge P1 related security issue, on a service such as Chrome's Webstore (Manifest v2, if I'm correct) which I suppose Brave will try to keep intact as best a s possible, do you not feel it will be less secure?

• Surely Chrome's technology has been refined over the decade to an extent where critical security concerns are no longer an issue in Google's Webstore and there may be certain things Chrome does on their side for better security but doesn't share i.e push into Chromium, is this also another concern?

• When Manifest v3 does come about, in the similarly timed version of Brave, would existing extension be hindered in any way?

• Regarding my introductory statement about the malware issue. There's no way of knowing if those extensions actually had malware and I for one don't certainly want to reinstall them to find out, what is Brave going to do post Manifest v3 and even for the time being for that matter?

• This may be silly but I've just realised it now as I'm typing unless I'm mistaken, that Brave doesn't have any kind of proprietary data whatsoever pertaining to extensions - their developers, their users and any essential analytical data such as size that may be useful come to think of it now. Am I wrong?

• I've come to understand the digits in Priorities i.e P5 are actually the number of years you will come to fix it by :) That being said, if Google contemplated this before 2019, wouldn't it be ideal to slowly begin development of this in every aspect i.e infrastructure, UX, security and so on and slapping a P3 label at the least?

[Tonev]

+1 from Community.

https://community.brave.com/t/brave-extension-store/271104

@bsclifton, could you take a look at the questions of a Community user below whenever you have the opportunity?

I don’t really understand their plans, can someone break it down for me?

Will Chrome Extensions (Manifest v3) be incompatible with Brave (Manifest v2)?
Will Brave encourage developers to build extensions for Brave?
Will Brave defend free speech, free software, and privacy on their Extension Store?
If Brave has an extension converter for Chrome Extensions, will Brave uphold the copyrights of extension authors, by giving them a choice to NOT be enrolled in the conversion programme?

[2br-2b]

If you hosted your own web store, it would make sense to host at least the extension files on IPFS. This could reduce your server load, plus it'd be a great way to promote IPFS after having added support for it to Brave.

Even if the main page's html isn't completely hosted on IPFS, at least hosting the extensions themselves and some of the resources used by the page (javascript, images, etc.) on IPFS would be nice.

[UltraBlackLinux]

The chrome extension store is full with bloat and data harvesting crappy addons while google likes to remove perfectly fine addons like "Youtube auto like" for some stupid reasons.
The firefox extension store is the best one available since it just doesn't have a crapload of junk while many addons are also open source.
I'd love to have a firefox extension store-equivalent for chrome based browsers.

[2br-2b]

The chrome extension store is full with bloat and data harvesting crappy addons while google likes to remove perfectly fine addons like "Youtube auto like" for some stupid reasons.
The firefox extension store is the best one available since it just doesn't have a crapload of junk while many addons are also open source.
I'd love to have a firefox extension store-equivalent for chrome based browsers.

Just realize that something like this would take time, effort, and money from the Brave team. They would have to review all the extensions submitted and they wouldn't get much benefit from hosting this - Chrome users will probably keep using the Chrome Web Store.

[alethiophile]

I would like to note that, now that the Chrome Store has stopped accepting new Manifest v2 addons, there is no path to publish these addons in Brave either. Installing external addons is theoretically possible but practically not.

Thus, either a working Brave Store or an easy way to install external Brave addons seems like an important priority.

[sybenx]

If it's possible, support for the edge extension store would fill the gap. Things like LibRedirect are available there but not on the Chrome Webstore because of Manifest v3.

[alethiophile]

Unfortunately, Edge is planning to remove support for v2 extensions on the same timeline Google is. Their store will stop accepting new v2 extensions in July (see).

Thus, this would be a temporary patch probably not worth the effort.

[UjCbFwtBayFM]

Any update?

[mikhoul]

A solution could be to allow users to update their extensions from Github Repo URL with a warning that those extensions are not vetted.

Before Chrome M33 it was working well this way and relatively easy to setup: https://developer.chrome.com/docs/apps/autoupdate/#update_url

I'm not sure but the restriction since Chrome M33 seem to only aplly to Windows platform and Mac (Not Linux).

It could be a special flag to activate with a warning so it would be safe, users that activate flags are "power-users and not casual users.

---

@ManeraKai

libredirect/browser_extension#45

[amuagarwal]

In addition it brave ext. store looking forward to have link to specific store from where the ext was installed currently it not have any link every time user need to search by ext id or name in chrome store.

[st333v]

The chrome extension store is full with bloat and data harvesting crappy addons while google likes to remove perfectly fine addons like "Youtube auto like" for some stupid reasons.
The firefox extension store is the best one available since it just doesn't have a crapload of junk while many addons are also open source.
I'd love to have a firefox extension store-equivalent for chrome based browsers.

Just realize that something like this would take time, effort, and money from the Brave team. They would have to review all the extensions submitted and they wouldn't get much benefit from hosting this - Chrome users will probably keep using the Chrome Web Store.

Why duplicate all the effort that the firefox team make at reviewing the extensions. Surely it would be easier to just add a compatibility layer to allow firefox extensions to run in brave. When i say easier, i know that would not be an easy task, just less effort probably than trying to reproduce everything that mozilla are already doing. I mean Firefox extensions are created using the web extensions API standard, which is based on the chrome extensions API which are very similar as far as i can see. so in theory it shouldnt be all that difficult.

[UjCbFwtBayFM]

I mean Firefox extensions are created using the web extensions API standard, which is based on the chrome extensions API which are very similar as far as i can see. so in theory it shouldnt be all that difficult.

Mozilla made Firefox partially compatible with the Chrome API by adding a layer on top of their own extension API. Even then, they do not support the same APIs so Chrome devs wanting to port their extension to Firefox have to use Mozilla Compatibility tool.

[trymeouteh]

Would be nice to see

If Brave does create an extension store, I hope it ia fully open source and allows others to self host their own extension store just like how othere can self host their own F-Droid repo.

[KaKi87]

Sorry to bother, but I couldn't find an answer anywhere : how to actually create an extension install page ?

I suppose it doesn't only consist in serving a CRX file, like a userscript & userstyles store would serve *.user.js & *.user.css files.

By the way, now that I think about it, I'd say that also offering userscripts and userstyles in a web store could be nice.

Thanks

[noxasch]

Since chrome introduce manifest v3 and force developer to use it, I believe brave should came out with its own extension store. Plus chrome webstore is not that great since it still got a lot of spam/fake/scam extension in the store anyway.

[ghost]

any update on the extension store? we still cannot enable installed extensions directly by turning on developer mode in windows and mac.

[bsclifton]

Closing as stale for now - no work planned here at the moment

We do have a backup plan for manifest v2 - some additional UI in the browser (no store needed).

[KaKi87]

How will developers be able to publish their Manifest V2 extensions then ?

[bsclifton]

@2br-2b @KaKi87 see here for more infomation:
brave/brave-core#16983

[alethiophile]

How are the authors of Manifest v2 extensions, other than the four specific ones that are special-cased in that ticket, supposed to publish extensions people can use in Brave?

This is obviously not solving the problem of individuals being able to keep publishing extensions.

[uBlock-user]

Instead of running a whole another store, I will suggest to do what Firefox devs did and allow extensions to be installed from any website that hosts a extension.

The current solution only seems to be making a special case for 4 selected extensions, leaving out numerous others in the dust.

[Comprehensive-Jason]

@uBlock-user Is this still a thing? This seems like a massive security issue.

[uBlock-user]

@Comprehensive-Jason what thing ? and what massive security issue ?

[deathtrip]

Letting people install extensions from random websites is indeed a massive security issue.

[KaKi87]

@bsclifton So how will developers be able to add and update their extensions to this list ?

@deathtrip @Comprehensive-Jason Not really : using an extension store doesn't prevent malware from being published.

[KaKi87]

That said, I asked years ago how to create an extension store that the browser would detect (including here), and didn't get any answer.

[holdingsllc]

We do have a backup plan for manifest v2 - some additional UI in the browser (no store needed).

What is this backup plan? We're developing an incredible new extension-based product which requires some v2 features. Thanks.