Warn about sideloaded extensions

[tildelowengrimm]

Sideloaded extensions have been a common malware vector, but are less effective at present thanks to browser interventions. To protect people from surreptitiously-sideloaded extensions, Brave should show a warning whenever the browser starts.

Unfortunately, any preference which allowed this warning to be bypassed could be manipulated by the same tooling which sneakily-sideload extensions in the first place. So for this to work, there can't be a preference, configuration flag, or similar for official builds. Non-official builds can have a preference (either a flag or a setting) to disable the warning.

[Note that this warning is not present in Brave's Dev or Nightly builds. If this bugs you, try out Brave Dev.]

[Kaerakh]

This response does not address any of the constructive feedback provided in #4349

User feedback in #4349 clearly and repeatedly mention numerous alternatives for informing the user of how their decision to side load is a security risk, and to make the user understand their decision.

Leaving a nagging pop up in place only serves to annoy the user who has accepted the risk and consequences for side loading their extensions. There is no security value after the first notification.

This response does not seem to understand the concerns leveled in the user feedback provided in #4349

[epycurasWynter]

I just left a review with how pleased I was Brave devs said they were going to fix this issue, recommending this browser to hundreds of users, and now you take the authoritarian stance we're too dumb to make our own choices? Should I start warning people this is the coding culture surrounding the browser even when the userbase overwhelmingly voices opposition to this setup? I have to deal with this prompt appearing every time I open this browser and it's both unprofessional in design and a giant middle finger to extensions that can't be posted on the Chrome store due to their pro-censorship stance against paywall-blockers, in-extension YouTube video viewing, and the Dissenter extension which is vital to commenting online without being banned/censored.

I was of the opinion this was a user-friendly browser because this change was stated to be coming here: https://github.com/brave/brave-browser/issues/4349

I even recommended a developer go out of their way to bring their fandom and popular extension to this browser because I thought this change was coming, and now do I have to tell him and his potential hundreds of thousands of future users this browser isn't up to snuff because of an ultra-paranoid stance that malicious scripts can break the browser settings if a user's dumb enough to download them? Well, you're going to have to either trust users aren't dumb enough to let it happen, lose a lot of users making this completely unnecessary move that isn't pro-privacy -it's just anti-user, or figure out a better solution because this ain't it chief. We don't want a special new browser to fix this setting we just want this browser to not suck and discourage usage of unloaded extensions like you are clearly trying to do here.

If the Brave coders are not smart enough, or simply do not care enough to fix an issue the community has voiced support for, I will make sure the Brave community and browser community is well-informed on the matter. Actions breed patterns and I can see exactly what kind of hole this mentality leads into. Please think very carefully if this is the hill Brave's team wants to die on. Don't dictate a bad decision to us and expect it to go over well when we voiced to the contrary already. All this does is encourage people to switch off of this browser -and I'm pretty sure that's a lot less secure than just fixing the problem properly.

[Mr-Mondragon]

Tom, you are still ignoring the fact that the way this warning currently works, makes security WORSE, not better.

I've addresses this in detail here.

[tildelowengrimm]

Hi everyone, I want to make something absolutely clear: if you are commenting on this issue, if you are using GitHub, if you make the decision that you want to side-load an extension permanently then this warning is not for you.

This warning exists to protect people who have had extensions sneakily sideloaded without their knowledge. There is a tradeoff between protecting those people and avoiding an inconvenience when y'all open your browsers. We can't meet both sets of needs in the same build. If you have proposed a configurable preference for this notice, you have proposed a plan which will not protect people against surreptitious sideloading, because whatever software sideloads an extension can muck with that preference. There is no middle ground here.

I know that this is going to annoy you occasionally. But I think that is a worthwhile tradeoff for the protection it provides to other people who are not you. I appreciate that you care deeply about this. But more comments of this sort (or of the sort seen on previous related issues) are offtopic. If you want to discuss this topic, please head to community.brave.com. This issue is not the place for further conversation about this.

[Kaerakh]

@tomlowenthal Something to consider Tom,

If I as a hypothetical bad agent write a screen scraper to capture the Brave window and direct mouse movement, does Brave have a responsibility to ensure that the Brave browser has exclusive control of the mouse and to launch as an exclusive fullscreen application in the name of security and protecting your users?

[epycurasWynter]

Hi everyone, I want to make something absolutely clear: if you are commenting on this issue, if you are using GitHub, if you make the decision that you want to side-load an extension permanently then this warning is not for you.

This warning exists to protect people who have had extensions sneakily sideloaded without their knowledge. There is a tradeoff between protecting those people and avoiding an inconvenience when y'all open your browsers. We can't meet both sets of needs in the same build. If you have proposed a configurable preference for this notice, you have proposed a plan which will not protect people against surreptitious sideloading, because whatever software sideloads an extension can muck with that preference. There is no middle ground here.

I know that this is going to annoy you occasionally. But I think that is a worthwhile tradeoff for the protection it provides to other people who are not you. I appreciate that you care deeply about this. But more comments of this sort (or of the sort seen on previous related issues) are offtopic. If you want to discuss this topic, please head to community.brave.com. This issue is not the place for further conversation about this.

If this warning is not for me how about fixing the issue so it stops affecting me instead of censoring all the posts with an inaccurate "comment marked as off-topic" label. This is completely ridiculous I want this fixed and you have no right to treat your users like this.

@bbondy Please tell me this stance is not set in stone.

[Kaerakh]

Ooof, talk about the topic, get marked as off topic. I have been completely respectful in my discourse and on topic, but I get marked as off topic because I don't agree with the predetermined decision @tomlowenthal made in #4349 on May 31st.

I hope you guys aren't making this decision based on the current political climate in lieu of rational discussion. @bbondy @rebron

Since it looks like specific key members of your staff aren't interested in responding to valid user feedback, I'm going to switch Firefox, while they do the exact same thing, the tools I use aren't reliant on the decisions of the Mozilla organization.

Hope you guys have a great day.

[bridiver]

is this only happening on windows?

bool EnableDevModeBubble() {
  if (extensions::FeatureSwitch::force_dev_mode_highlighting()->IsEnabled())
    return true;

  // If an automated test is controlling the browser, we don't show the dev mode
  // bubble because it interferes with focus. This isn't a security concern
  // because we'll instead show an (even scarier) infobar. See also
  // AutomationInfoBarDelegate.
  base::CommandLine* command_line = base::CommandLine::ForCurrentProcess();
  if (command_line->HasSwitch(switches::kEnableAutomation))
    return false;

#if defined(OS_WIN)
  if (chrome::GetChannel() >= version_info::Channel::BETA)
    return true;
#endif

  return g_override_for_testing ==
         ExtensionMessageBubbleFactory::OVERRIDE_ENABLED;
}

and

class CommonSwitches {
 public:
  CommonSwitches()
      : force_dev_mode_highlighting(switches::kForceDevModeHighlighting,
                                    FeatureSwitch::DEFAULT_DISABLED),
        prompt_for_external_extensions(

[bsclifton]

@bridiver it should be happening on macOS too - I know I was getting it (along with others)

[50P15]

what about adding a bizzare,masochistic, hard way to disable this warning, so noob users who sideload extensions in developer mode dont get around it?

[theAeon]

Gonna pitch an idea here assuming that having a non-disable-able notification is non-negotiable. The notification is annoying not because it exists, not because there is no way to disable it, but because it grabs the cursor focus. While I do think for average use it makes sense for it to interrupt like that as most will not be mucking around in developer mode, maybe it would make sense to have a toggle on an extension-by-extension basis to have the notification not grab focus and possibly dismiss after a set period of time? Does this comply with you security-based view on this problem, @tomlowenthal ?

[tildelowengrimm]

Again, and I cannot emphasize this enough: this tool does not work if there are any settings which change its behavior. It seems fine to me for it not to grab focus, but I don't know how that interacts with the a11y requirements for warnings. Auto-dismiss not so much.

[theAeon]

Hmm, another way of approaching it would be having it grab focus as it does now but having actions functionally dismiss it. For example, if, on browser start, I click into the URL bar and search, upon my request of the page the warning would dismiss.

[bsclifton]

@theAeon one possible solution would be a "bespoke" version of Brave, similar to how Firefox has a "Developer" edition. I created an issue to track that (and any other specific requests): https://github.com/brave/brave-browser/issues/5315

Until there are enough requirements to take action, that issue is just a good place for discussion. In the meantime, folks can grab the source and compile with the appropriate field trial configs flipped. Docs about setting up and building can be found here: https://github.com/brave/brave-browser/wiki

[mikhoul]

Just migrated from Chromium to Brave but this a major annoying issue for me and my users and I remember why I begun to use Chromium because it don't display the warning.

I manage ~65 computers where I choose which browser is used and since we use custom extensions we need to have an option to disable the warning for our users.

There is a way to make this option without implementing it in the GUI : Just put an option on the command line when you start brave.exe with something like brave.exe -StopDevWarning. Other Chromium forks use this method for implementing custom options.

But honestly the more elegant way would be with a toggle switch that when activated generate a HUGE WARNING that once this option is enabled that your computer can explode.

Right now I will wait before migrating my users to something else that Chromium until there is a way to disable the popup.

Note: Even Vivaldi which is a major chromium fork disabled this warning.

Regards :octocat:

[theAeon]

Seconding the command line flag as an option. If a malicious program is able to change the command line flag in the start menu shortcut it's already achieved system privilege escalation and the user in question seems to be already screwed.

[paulej]

How to have security and stop the annoyance both: warn ONCE about new side-loaded extensions. I appreciate the heads-up if something sneaky happened, but I really don't need to be told more than once.

[BenOravetz]

Here's a solution to this problem: have a whitelist for extensions which we know and can verify as being safe. Only allow that whitelist to be updated when the warning prompts and once an extension is whitelisted, don't warn again.

Having a warning every time a browser loads is just silly. It's a holdover from Google to force users to only use "approved" extensions from their web store. But there some solid extensions out there which are not "approved" by Google which we know are safe and would like to use.

[cthu1hoo]

Here's a solution to this problem: have a whitelist for extensions which we know and can verify as being safe.

Excuse me, "we" in this scenario being who exactly?

But there some solid extensions out there which are not "approved" by Google which we know are safe and would like to use.

I develop chrome extensions for my own personal use (and for my friends). how exactly do you propose for me, and people like me, to get on this hypothetical whitelist of good extensions? do i need to prove myself somehow?

how is your solution different from publishing in chrome store and dealing with their opaque (unless you know the right people on twitter) verification and flagging procedures?

what you're proposing is replacing unaccountable google developers working on chrome store with this theoretical cabal of chosen people who deem things safe or unsafe. i don't know about you, but if i was okay with stuff like that, i'd just use Chrome.

[paulej]

@cthu1hoo I think the proposal was for a local white list that end users manage. If I write an extension, then I can mark it safe locally.

[cthu1hoo]

I think the proposal was for a local white list that end users manage

malicious software running with user privileges will be able to manipulate this whitelist just as easily so this only adds pointless hassle for users with no tangible security gained.

[paulej]

@cthu1hoo it would require something external to the extension to do that, like a malicious binary executable. Given that, lots of bad things can happen. A local whitelist could be digitally signed to avoid tampering except by very sophisticated attacks. And given such sophistication, I'm sure one could already do some serious damage with or without a whitelist.

[Arcuplas]

I get this notification every time I start brave when sideloading adnausem and dissenter. Please add a way for me to disable these notifications, I know what I'm doing!

Please let me whitelist sideloaded extensions so I don't have the close the pop-up manually every time I start brave.

Brave's userbase doesn't need this additional protection from malware. We're not stupid!

[cthu1hoo]

personally I've switched back to Chrome which allows me to self-host my extensions in a supported way via enterprise policy (i.e. GPO) which Brave obviously doesn't support. good luck with your attempts to court normie userbase which doesn't care about your browser in the first place, i guess.

[Arcuplas]

personally I've switched back to Chrome which allows me to self-host my extensions in a supported way via enterprise policy (i.e. GPO) which Brave obviously doesn't support. good luck with your attempts to court normie userbase which doesn't care about your browser in the first place, i guess.

I have switched to the dev build to fix this issue.

[theAeon]

I've since switched to FF. Moz actually cares about their userbase it seems.

[Arcuplas]

I've since switched to FF. Moz actually cares about their userbase it seems.

Originally I switched to firefox to fix this issue, however firefox had an issue that I couldn't resolve, and switched back to brave. I considered just not using the extensions but since I've found out I can fix this issue with the dev version I've settled on that. I've also had issues with other various website's functionality when using firefox, so right now, brave is just better (for me).

[bridiver]

@mikhoul the reason that Chromium doesn't display the notification is because it doesn't have beta/release channel like Brave and Chrome. It is enabled on beta and release for Brave and Chrome, but not for dev. You could either build Brave yourself (setting it to dev channel) or use Brave dev channel.

[bridiver]

I haven't actually verified ^^ myself, but that's what the code says https://github.com/brave/brave-browser/issues/5063#issuecomment-509450667

[Arcuplas]

"I understand the risks and wish to continue, do not show this warning again" Allow users to willingly give up this extra protection. I don't want to have to use the dev and nightly builds.

At the very least let advanced users (who are not necessarily dev or nightly release users) who prefer to use the beta or release builds to white-list specific extensions immune from this extra protection.

Give them the opportunity to inform themselves about what they're doing, and opt out if desired.

I am an advanced user but I don't want to have to use the experimental builds because they're unfinished and often have several problems that I probably wouldn't have with the stable ones.

[Arcuplas]

All I want to do is be able to use 'non-approved' extensions in brave without getting nagged, and not having to use unstable builds to bypass it, is that too much to ask? Seriously I understand why this was implemented, but at least give people the option to turn this off.

[BrendanEich]

The off-topic comments here are not wrong, just off-topic. We'll work on helping users who've been warned sufficiently and know what they're doing to sideload more conveniently, without opening up large numbers of users to socially engineered attacks. For now please keep the OT comments on hold. Thanks.

[Arcuplas]

The off-topic comments here are not wrong, just off-topic. We'll work on helping users who've been warned sufficiently and know what they're doing to sideload more conveniently, without opening up large numbers of users to socially engineered attacks. For now please keep the OT comments on hold. Thanks.

Wrong. Everything contained in those posts you (or another moderator) hid (mine, specifically) directly relates to the issue; in addition to my personal opinion on the matter.

Re-read them.

All I want to do is be able to use 'non-approved' extensions in brave without getting nagged, and not having to use unstable builds to bypass it, is that too much to ask? Seriously I understand why this was implemented, but at least give people the option to turn this off.

"I understand the risks and wish to continue, do not show this warning again" Allow users to willingly give up this extra protection. I don't want to have to use the dev and nightly builds.

At the very least let advanced users (who are not necessarily dev or nightly release users) who prefer to use the beta or release builds to white-list specific extensions immune from this extra protection.

Give them the opportunity to inform themselves about what they're doing, and opt out if desired.

I am an advanced user but I don't want to have to use the experimental builds because they're unfinished and often have several problems that I probably wouldn't have with the stable ones.

Stop marking my posts as off-topic when they're not. Thank you.

[tivalin]

The off-topic comments here are not wrong, just off-topic. We'll work on helping users who've been warned sufficiently and know what they're doing to sideload more conveniently, without opening up large numbers of users to socially engineered attacks. For now please keep the OT comments on hold. Thanks.

Yeah, right. You'll 'help' users, while you block people from commenting and hide comments. Get fucked Brendan.

[tivalin]

@cthu1hoo I think the proposal was for a local white list that end users manage. If I write an extension, then I can mark it safe locally.

Look at this hidden comment. How the fuck is this off topic? And how the fuck is pointing that out worthy of a ban? I hope you reconsider treating your userbase like this.

[Colin-Mac-Donald]

I solved my problems with these rage-gibbons by switching to Dissenter Browser, which was the extension that I needed to use anyway. It'll be my recommendation of choice now that I know the Brave monkeys are heading down the Ubuntu path of knowing best.

[bsclifton]

@cthu1hoo personally I've switched back to Chrome which allows me to self-host my extensions in a supported way via enterprise policy (i.e. GPO) which Brave obviously doesn't support.

GPO is supported actually 😄 If this case works for you in Chrome, it should work great for Brave too

On Windows, the location in registry for the keys is going to be: 1.2 and older HKLM\SOFTWARE\Policies\Chromium

1.3 and newer HKLM\SOFTWARE\Policies\BraveSoftware\Brave

Once set, you can confirm by visiting brave://policy

[bsclifton]

Closing as stale. The UI that was shown in original post was back when we were using a different build config that enabled this by default. We reverted that in 2019 or so and this issue was created to track potentially adding that back in. There hasn't been any updates for ~3 years