Adjust messaging (or remove) for side loading of extensions #4349
Comments
bbondy
changed the title
|
A suggestion from #1432 is to remove notification from dev channel but keep warning in release/beta. |
|
Not sure exactly what all this means..... but having that stupid developer warning keep popping up every fucking single damn time you launch the browser is fucking annoying as fucking hell. I got it the first damn time... I am not a 3yo that needs to be told something every 3 fucking minutes. |
|
I wasn't aware it pops up every time you launch the browser, I put a comment for that in the issue's first post. |
To be honest, this is not a good idea. This more or less 'forces' people to use a dev version (or put up with the nagging popups forever). I am a normal user of Brave, and as such I should be using the official version. Besides the fact that I keep things up to date with package managers, and using dev channel would cause extra maintenance effort. |
|
Let me please stress this again, as I think security is the most important concern of all this: Keeping the same popup showing up every time makes security WORSE, not better! I totally understand the reasons for this popup. Really. But I have a self made developer extension, and Brave warns me every single time. Despite the fact that I am with absolute 100% certainty NOT at any risk. Extremely annoying. After doing this a 100 times or so, clicking it away becomes something automatic, you do it unconsciously. Can you please reconsider this feature, but with two critical changes:
I think overall security would be served best by this approach. Better than how it's done now, which introduces the risk that people develop the habit of clicking away the warning automatically. Very dangerous, this is not what we want if we have security in mind. Thank you for your consideration. |
|
I only recently fully committed to using Brave as my primary browser after the Firefox certificate fiasco. My decision to abandon Firefox (after using it since its inception), wasn’t so much for how avoidable that whole catastrophe was. It was the culture that revealed itself when I looked into the cause. Immediately upon switching to Brave, I messed around with sideloading extensions. When I saw the popup, I wasn’t bothered at all. Totally makes sense to warn a user when they make a change like that. Then it happened again. The third time it happened I thought, certainly I can find the setting to turn this off. When I couldn’t, I’ll admit I was pretty disheartened. It’s a simple thing, but having just experienced all of my extensions being disabled 'remotely' (without any official way for me to remove Firefox’s boot from my neck) it chipped away a bit of my confidence in Brave. I have no doubt there are other Firefox refugees that are moving to Brave for this very same reason. And I know some of them got the same vibe when they saw that warning wag its finger at them with no option to disable it. Love the Browser. You’re doing a great job. Keep it up and please – keep it open. |
Yep, |
|
In short:
This seems the most sensible approach to me, and more importantly: the safest approach. |
|
Showing the warning once a week. Once a month... hell I'll even take once a day, that's really -really- annoying and makes me consider whether I want to continue using brave, but I can swallow it. Fact is I've already sideloaded an extension, whatever damage it can do, is already done. Warning me about it every time I open the browser is only driving me to either 1) change browsers to something else, or 2) Ignore the warning entirely, and click blindly through whatever warnings Brave wants to throw up there any time I log in, so if you have -any- other security-related warnings, they better all be a thousand times less important than this one, because this one is going to make me ignore the content of literally any warning Brave puts in front of me. In order for me to be sideloading an extension, I need to have a capacity through my own ability, or someone close to me who can walk me through it, to use my browser at an elevated level. There is nothing that irritates me more than a program that treats me like a child. I know what I'm doing, I know the risks, and it's my computer, my browsing experience, I should be the one making decisions. Caveat Emptor. Let it be on my own head. |
Agree, this has been mentioned so many times, I hope they read the comments and understand our concerns. It's not just about the popup being annoying. The popup is supposed to warn us about malicious extensions, but it becomes useless because users (who sideload their own extensions) just instinctively close it. |
|
Anyone that is going to be doing this very likely has SOME BASIC knowledge of technology. |
I mean... maybe you should consider the fact that you don't know their target audience... I'd characterize their target audience as a large market share of privacy conscious individuals, and to that end, a warning that you have deliberately chosen to configure your browser in an insecure fashion does make sense, however requiring an equally convoluted and complicated method of disabling or delaying the message would be able to accomplish the same goal without irritating people who write their own extensions that they don't -want- loaded publicly. |
It is certainly not necessarily in an insecure fashion. For example, if you wrote the extension yourself and are just using it locally. |
|
I believe what they're INTENDING to say here is that having developer mode enabled to allow the sideloaded extensions is inherently insecure. Not that the extensions themselves are. I'm not sure on that though. |
Um.... yes that is their target audience. o.O |
|
Hi, The first time I received this notification I thought it was considerate and I appreciated it. This outlined scenario is not a security concern. The user in the outlined scenario has either ignored the notification or understands and acknowledges the notification. There is no security or legitimate reason to repeatedly prompt the user with the same notification over and over ad infinitum. |
|
@BriantGea You're conflating security conscious with technologically capable. Just because someone wants their data kept private, and knows that Brave is a browser that keeps that in mind, doesn't mean they know anything about extensions and the dangers they might present. Meaning that those with the technological background to be considered to have informed consent at the outset without a warning in the first place are actually just a small subset of those people who are their target audience. Average users within their target audience may have no idea how dangerous extensions can be. That said. After a hundred warnings I'm pretty sure either we understand the risk and don't care, or we're ignoring the warning. Either way the warning is no longer serving a purpose. |
Just because someone can't make an extension doesn't mean they don't know the very basics of how they work. But yes, as the "warning" is now... it only serves to drive people away from the platform. |
rebron
added
design
|
Thank you for putting it in the roadmap rebron :) |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
@kiloJuliet an alternative to the Chrome Web Store is possible - the URLs recognized by Chromium are in I'd suggest making a new issue capturing your feedback in a way that can be actionable ( |
|
This may need additional investigation. I am no longer getting this warning on Nightly. |
|
interesting - I wonder if this was impacted by the field trial changes that were just merged? |
|
Its related to |
|
My preference is to continue displaying the warning as before in all CI builds except for a special actually-for-developers build (like Firefox has) in which it can be disabled. In the absence of a special developers build, I'm begrudgingly okay with allowing a preference to disable it in Nightly and in Dev. |
|
Since this is currently disabled, because of the field trials... I'm going to close this issue @tomlowenthal can you create a new issue for the behavior you think makes sense? 😄 |
|
New issue is #5063. |
|
@bsclifton is there anything QA can do here? Sounds like this was disabled due to the field trials work. Would a simple test case of side loading an extension manually and making sure the modal popup doesn't appear be sufficient? If there's anything else that needs to be QA'd here, please let me know 👍 |
|
@kjozwiak that would be a great test - let me add the labels and some test steps |
|
Great, thanks @bsclifton! Much appreciated! |
|
@kjozwiak top posted edited 👍 |
|
Verification passed on
Verified steps from the description. Verification passed on
Verified steps from the description. Verified passed with
|
LaurenWags
added
QA Pass-macOS
release-notes/exclude
and removed
release-notes/include
labels
and others
Test plan
Load unpackedand then pick the folder where the extension was unzippped (step 2)Description
We inherit the following UI from Chromium:
We should adjust the messaging for this since we sometimes recommend certain extensions be manually installed when the Chrome store doesn't allow them.
Note that we don't have our own store right now, so this isn't about policy of what should or shouldn't be allowed.
We definitely don't need to keep showing it every time you launch the browser.
The text was updated successfully, but these errors were encountered: