Support for Extensions?

[dhananjaipai]

Preliminary checklist

• [X] I have read the README
• [X] I have read the FAQs.
• [X] I have searched existing issues for my feature request. This is a new issue (NOT a duplicate) and is not related to another issue.
• [X] This is a feature request for the Cromite browser; not the website nor F-Droid nor anything else.

Is your feature request related to privacy?

Yes

Is there a patch available for this feature somewhere?

Not sure

Describe the solution you would like

I see that Kiwi and Yandex browsers have support for adding custom chrome extensions. I am a noob when it comes to Android apps, mods and patches, but just wanted to know if it would be possible to have support for chrome extensions ?

Describe alternatives you have considered

Using multiple browsers

[Kirshi912]

You need to request this feature to google or chromium team instead.

[uazo]

@dhananjaipai think, I'm in favour of removing extension support even on desktops! but I'm still thinking about it a bit, including your request.

[dhananjaipai]

@dhananjaipai think, I'm in favour of removing extension support even on desktops! but I'm still thinking about it a bit, including your request.

Thank you. If extensions are not possible can you kindly evaluate a bookmarkbar support or something similar to invoke custom bookmarklets to inject some features? Currently it is a pain to type javascript:xyz since pasting on the address bar will clear the javascript bit for security I am assuming

[uazo]

bookmarklets

what are they?

[Universalizer]

1. Not all Browser's extensions respect privacy or security,

2. Probably (Sometimes) they mess-up Browser's fingerprint uniquely.

3. If in-case an extension has problems, they need to be bug report to extensions developers, but mistakely complain to Browser's Developer & that gets irritated & frustrated.

Do you want to de-motivate browser developers?

[dhananjaipai]

bookmarklets

what are they?

https://en.m.wikipedia.org/wiki/Bookmarklet

Basically custom javascript that you can run on the page saved as bookmarks. You can basically create a bookmark with the content as "javascript:document.querySelector('video').playbackRate=4" for example and when you are on a page playing media and with slow speed you can click the bookmark and it will run the script to play it faster

[dhananjaipai]

1. Not all Browser's extensions respect privacy or security,

   2. Probably (Sometimes) they mess-up Browser's fingerprint uniquely.

   3. If in-case an extension has problems, they need to be bug report to extensions developers, but mistakely complain to Browser's Developer & that gets irritated & frustrated.

Do you want to de-motivate browser developers?

I mean, make it as a superuser feature perhaps that can be enabled with a custom flag for example. I think it is unwise to discount a feature just because some people may not understand how to use it. 😅

[uazo]

@Universalizer the possible benefit is to let others fix privacy issues for the sake of the browser. Because it is unlikely that I can do everything. But it is a personal thought, not a choice for now.

Not all Browser's extensions respect privacy or security, Probably (Sometimes) they mess-up Browser's fingerprint uniquely.

same here, I give no warranty on any of my modifications.

If in-case an extension has problems, they need to be bug report to extensions developers,

this could be true

[Rusenche]

@uazo > @dhananjaipai think, I'm in favour of removing extension support even on desktops!

Sounds scandalous!

If this becomes a fact, google will be happy to have followers in the destruction of the user experience.

My personal thought - if the desktop option of not being able to install extensions goes away, Cromite will lose almost all users.

[Universalizer]

@Universalizer the possible benefit is to let others fix privacy issues for the sake of the browser. Because it is unlikely that I can do everything. But it is a personal thought, not a choice for now.

Real true fact, one single person has capacity limitations of doing all things alone, it requires team work of more than three or more software developers.

---

Draft FAQ (Frequently Asked Questions) Important notice to the Cromite end user's, especially for Browser's extensions

Browser's extensions though supported in Desktop environment but no guarantee or warranty on third-party's extension, that completely relies at end-users due-diligence and responsibility.

Cromite developer takes no liability, or shall not be blamed for these case matters & situations.

---

These is just draft for faq. Any further suggestions or corrections are welcome.

[NDSTHEBEST]

@dhananjaipai think, I'm in favor of removing extension support even on desktops! but I'm still thinking about it a bit, including your request.

Please add support for extensions. It will be very helpful. I've been searching for how to do it, but since I'm not a developer and even if I were, I couldn't do it because I do not possess the source code. So, in short, please add this to future releases, at least as an option🙏

[Universalizer]

Check all open and closed issue's section of ice,raven and ki,wi Browsers, feels pity or compassion for their developers and maintenance.

Even, i myself personally speaking, would like to have extension's support, but thinking Carl was alone, Uazo collaborating him and consistently enhancing Bromite as much as possible by Uazo.

Worry that Uazo also does not gets irritated or frustrated or get tired in the end, Also currently Bromite status that is unknown, that should never ever happen again with Uazo and Cromite (After Bromite only hopeful and trustworthy Purest 100% FOSS Browser without any proprietary libraries or codes in software package).

That's it.

Bromite or Cromite User Community can promise following,

Uazo you please add extension support to Android's Cromite, we promise you that we will not harass you for any specific/particular extension related problems of any kind. WE SWEAR.

But, how the newbie or beginners may be aware of it :- Whether any specific problem is related to upstream Chromium, or Cromite, or by any extension, it might be slightly/heavily complicated. Atleast today we can guess whether it is either of two.

These are all concerns.

[Universalizer]

Remember my words, Generally, Speaking is easy, but to implement it, sometimes becomes hard or tough.

Same way, Promise or Swear is easy, but to implement ❓️

[DI555]

@uazo , nevertheless, imo, the best way is to make extensions support be optional, switchable by a switch! This way will take a restart of browser, to make an extension api be active or inactive from the restart. So, really all will be happy!

[Rusenche]

@Universalizer: Even, i myself personally speaking, would like to have extension's support, but thinking Carl was alone, Uazo collaborating him and consistently enhancing Bromite as much as possible by Uazo.

Worry that Uazo also does not gets irritated or frustrated or get tired in the end, Also currently Bromite status that is unknown, that should never ever happen again with Uazo and Cromite (After Bromite only hopeful and trustworthy Purest 100% FOSS Browser without any proprietary libraries or codes in software package).

That's it.

Bromite or Cromite User Community can promise following,

Uazo you please add extension support to Android's Cromite, we promise you that we will not harass you for any specific/particular extension related problems of any kind. WE SWEAR.

But, how the newbie or beginners may be aware of it :- Whether any specific problem is related to upstream Chromium, or Cromite, or by any extension, it might be slightly/heavily complicated. Atleast today we can guess whether it is either of two.

These are all concerns.

@Universalizer, @uazo, Of course I support adding the ability to install extensions. It is logical to say the following - why do we need Cromite (removed google services) when we cannot install an extension and/or block ads.

But I support the idea that users should be able to choose which extensions to install, because there were some browsers where you could install from a certain list only a few extensions and nothing more. This is total consumer discrimination because consumer choice is taken away.

Another stupid thing on google's part is that they discriminate against all chrome/chromium users by not giving users the option to opt out of installing updates to certain extensions. There are cases when an extension update installs malicious code and adds a search engine, which is an unwanted effect. We as users should be able to choose whether we want to install an update or not.

Until now, this is toxic discrimination on the part of the aggressor google!

[Rusenche]

@Universalizer: Even, i myself personally speaking, would like to have extension's support, but thinking Carl was alone, Uazo collaborating him and consistently enhancing Bromite as much as possible by Uazo. Worry that Uazo also does not gets irritated or frustrated or get tired in the end, Also currently Bromite status that is unknown, that should never ever happen again with Uazo and Cromite (After Bromite only hopeful and trustworthy Purest 100% FOSS Browser without any proprietary libraries or codes in software package). That's it. Bromite or Cromite User Community can promise following, Uazo you please add extension support to Android's Cromite, we promise you that we will not harass you for any specific/particular extension related problems of any kind. WE SWEAR. But, how the newbie or beginners may be aware of it :- Whether any specific problem is related to upstream Chromium, or Cromite, or by any extension, it might be slightly/heavily complicated. Atleast today we can guess whether it is either of two. These are all concerns.

@Universalizer, @uazo, Of course I support adding the ability to install extensions. It is logical to say the following - why do we need Cromite (removed google services) when we cannot install an extension and/or block ads.

But I support the idea that users should be able to choose which extensions to install, because there were some browsers where you could install from a certain list only a few extensions and nothing more. This is total consumer discrimination because consumer choice is taken away.

Another stupid thing on google's part is that they discriminate against all chrome/chromium users by not giving users the option to opt out of installing updates to certain extensions. There are cases when an extension update installs malicious code and adds a search engine, which is an unwanted effect. We as users should be able to choose whether we want to install an update or not.

Until now, this is toxic discrimination on the part of the aggressor google!

I don't agree it's off topic! It's right on topic. Facts should be mentioned in the right words!

[uazo]

I don't agree it's off topic! It's right on topic. Facts should be mentioned in the right words!

make your own repo and write what you like. I do not accept personal considerations here that are not technical.

[9cento]

+1

[uazo]

@9cento take a poll! it would be interesting to understand what users are interested in.

[AlbahrawyTiger]

@9cento take a poll! it would be interesting to understand what users are interested in.

+2

[foxjaw]

take a poll! it would be interesting to understand what users are interested in.

Polls are the most useless decision making tool. Democracy is a cancer ! If you try to serve people, they'll sit on your head...

I do not support extensions at all. They're very invasive, inefficient and insecure. Extensions are the reason Chrome became a billion dollar industry & it's the main reason for ChromeOS being an "OS".

If you wanna try to include a certain feature supported by a certain extension, check if a patch exists or not & then add the functionality directly into cromite. But never add extension support. Users will get a lot of issues using desktop extensions on mobile (especially with the advent of MV3) & then blame the browser for the issues they face.

Basic functionalities like adblock, dark mode, etc exist. If a user need a functionality, they should request the feature or open a PR / submit patches.

@uazo You just stick with your decisions as far as cromite development is concerned. Be ready, caz people will gaslight you even more in the future, with phrases like "\<insert your browser> already has extension support", "the userbase will shrink", "google bad", etc. Don't fall for them.

[VPaulV]

Probably it can done in a similar way ungoogled-chrome does? Where extensions are not supported but if you want them you can install the NeverDecaf/chromium-web-store plugin?

[foxjaw]

@VPaulV That's desktop plugin which unlocks the extension management that was removed from vanilla chromium. Won't work on android caz chromium-android codebase don't have extension support in the first place.

[VPaulV]

@foxjaw yes, you are right. My comment was regarding the desktop part

[sid44sid]

Please, let me explain, why I'd like to have extension support. In my case internal adblocker still misses some ads. But k|w| with uBlock + tampermonkey + adlist jx fix performs excellently. If internal adblocker in Cromite acts with same effectiveness, then no need in any other extensions in my case. All other features are enough to cover most expectations of users imho.

[uazo]

what is k|w| ? and adlist jx fix ?

[foxjaw]

what is k|w| ? and adlist jx fix ?

@sid44sid's trying to type kiwi browser without banning himself (not sure why mentioning that would bother anyone).
That project is very shady tbh. They're not fully open source, paywalled recent codebase & use action-bot to push releases. They literally violate BSD clause licence.

[sid44sid]

what is k|w| ? and adlist jx fix ?

Kiwi browser (sorry for strange typing). Here is script for tampermonkey: https://greasyfork.org/en/scripts/19993-ru-adlist-js-fixes I've tried to install it in Cromite (as link and standalone file), but without success for removal annoying ads. :(

[foxjaw]

If you're using uBO on chrome, then you're in the wrong path. It was, it is, & it will always be a firefox exclusive. You'd always get a better uBO experience in firefox. I fully support removal of extensions on cromite, as it's a very big privacy loophole apart from UAH & other fingerprint mechanisms.

can you also write down why?

@uazo CNAME uncloaking, body filtering, prefetch, browser pre-initialisation, webassembly compatibility, etc.
https://github.com/gorhill/uBlock/wiki/uBlock-Origin-works-best-on-Firefox

Chrome has these weird shady backend tactics that don't allow uBO's full potential, which is why firefox's gecko is preferred instead of blink.

[foxjaw]

from https://github.com/uazo/cromite/issues/560#issuecomment-1898379917

from #256 (comment) (@foxjaw)

• CNAME support is traced in Dns CNAME support in Adblock Plus #247
• HTML filtering: I did not know this
• Response body filtering: already supported
• Browser launch: being integrated, adblock is available immediately
• Pre-fetching: disabled in cromite
• WebAssembly and Storage compression: cromite use c++

Interesting. I've never explicitly tested ABP but it seems like a good alternative. But still as not as customizable as uBO.
I'm suggesting users of chrome to not go with uBO extension due to these limitations. If that's the only extension one uses, you already don't need extension support in the first place, since cromite ships with ABP.

[PF4Public]

If that's the only extension one uses, you already don't need extension support in the first place, since cromite ships with ABP.

Zapping DOM elements in uBO is a big deal. It is of high value, I'd say.

[foxjaw]

Zapping DOM elements in uBO is a big deal. It is of high value, I'd say.

On desktop of course. On a 6~7" android device it's unusable.

I'd rather support using extensions on firefox. On chrome, extensions are a nightmare.

[Universalizer]

On desktop of course. On a 6~7" android device it's unusable

Try in Desktop mode.

[PF4Public]

On a 6~7" android device it's unusable.

If that's your opinion, that's fine. If you state that as a universal truth, you have some proofs for this claim, don't you?

[foxjaw]

Try in Desktop mode.

Yah. I've used Zapper & picker too. Also highly useful when you submit those HTML & CSS elements to filterlists like easylist, uAssets, etc.
We don't have choices other than chrome, since firefox on android is not optimized well.

[Rusenche]

I'm reading suggestions here to remove the ability to install extensions and for a desktop environment.

Dear people, in a world where every time you open a site is associated with loads of ads, in a world where everything everywhere on the internet is intrusively showing you ads, it is an unwanted action. I'm not even mentioning how intolerable the situation is on youtube, facebook... There are scripts developed for some of them. But how to install such scripts if the installation of extensions is prohibited?!

What is the protection of users against forced and mandatory display of ads?!

Personally I have 9190 personal filters - sites I visit, blocked boxes, windows, redundant menus, social media, related articles - you know what I mean.

In a world where resistance is mandatory, the use of extensions is mandatory, removing the ability to install extensions is a lack of common sense.

How can I describe it clearly enough - it's like telling a one-legged person "ah, it's better to be one-legged, you'll feel safer, more protected than anywhere else". This is absurd to even consider the thesis of removing the ability to install extensions.

It's a horror in the android environment - how the developers allowed to disable the ability to install extensions... this is unacceptable. Some browsers allow the installation of only a few extensions from a list, and you still cannot install extensions that the user wants.

Finally, we come to the user experience - do you want to be a sheep or do you want to have a say as users, on whom something still depends...

[uazo]

removing the ability to install extensions is a lack of common sense.

not necessarily, the use of extensions could increase the attack surface for fingerprinting scripts, making your browser different from others and therefore more easily tracked, not to mention that the extensions themselves can be the tracers. it's a matter of figuring out what's best, but don't worry, the issue is here but I don't think I'll be able to get into it for a few years :(

[foxjaw]

@Rusenche Your two paragraphs explain how much you concern about blocking of the ads. Cromite already supports ABP. I'm not sure whether you use cromite or not but, as far as my usage goes, I've never seen any ads till now & ABP works as same as any content based filter extension present out there.
If you need any other important feature of any extensions you use, please submit the patch / open a feature request for it.
I believe that the core fundamentals of Bromite was always had been security & privacy first. And it still is with Cromite.

[NDSTHEBEST]

removing the ability to install extensions is a lack of common sense.

not necessarily, the use of extensions could increase the attack surface for fingerprinting scripts, making your browser different from others and therefore more easily tracked, not to mention that the extensions themselves can be the tracers. it's a matter of figuring out what's best, but don't worry, the issue is here but I don't think I'll be able to get into it for a few years :(

The best option is to just create a toggle, or if it's not possible then maybe creating two apk's, one with extension support and one with no extension support, is an option

If you dont want to do that, maybe try to add a nice guide to nubes like me with the files to support extensions and all of the other stuff

[foxjaw]

There's a reason for privacy focused projects like these to consider removing elements that increase the attack surface. You are not understanding the ramifications of convenience vs security problem. Both are opposite to each other. And one has to give up the former in order to gain the latter.

[pony-montana]

The possibility to install extensions in a browser is a security risk like it is installing programs on an operating system. I think that the possibility to have extensions in browsers is overall good for the user.

The "extension model" lowers the development barrier to provide a functionality, so more eterogeneus parties can compete to provide the best service on the market. You dont need to fork chromium for the n-time to provide a browser with the functions that fills your particular needs; so more individual could propose their changes by working on an extension.

The point is not "choose the best adblocker to ship with cromite"; but give the user access to a post-build extensible set of possibility to personalize their experience. This include "choose themself the best adblocker" and trash the one that worked well until yesterday. These are easy tasks that, if you want to manage by cromite side, it would cost development time, resources and patience; and it will always end with a lot of people unhappy with the decisions made.

Also, analizing security costs:

• Security compromissions are well mitigated by a simple trick: dont install extensions (maybe the possibility to install extensions could be disable by default, hyde behind a flag, to protect most vulnerable users).

• Chromium itself is moving to manifest v3, a discussed way to make extensions more secure: no more arbitrary native-code executions but a declarative model to granularly expose only the functionality requested. This is someway similar to how android apps works for example, and will make the extensions landscape more secure for the average user. Extensions in chromium are not going to die, and are evidently a crucial part of the "upstream plans" for the browser (I expect to see extensions enabled in chrome android after the migration to mv3 will be completed).

[pony-montana]

I also add these other points:

• With bromite I have two adblocker that dont work well and a proxy-interface that laks some advanced functionalities I need. I considered it bloat, fill of bad functionality and lack of functionality that I need. I prefer ungoogled-chromium + 2 good extensions. This is a real example of the concept I was exposing in the previous comment about how good "free low-barried markets" could be.

• chromium is not an easy beast to manage: are you sure that a one-man injecting code at build-time is a secure and maintainable approach? This approach is really bad considering how it could break some mitigations and security assumptions (like CFI, already broken in cromite). Why not use extensions, the standardized interfaces defined upstream to implement functionailties? If its true that extensions could have security and privacy problem, I think that the actual development model is far far worse in these terms.

These critics are intended as a way to help improving, I understand how difficult is managing a project like that and respect your great work.

[uazo]

chromium is not an easy beast to manage: are you sure that a one-man injecting code at build-time is a secure and maintainable approach? This approach is really bad considering how it could break some mitigations and security assumptions (like CFI, already broken in cromite).

I think that the actual development model is far far worse in these terms.

I don't understand, can you please explain?

EDIT: regarding the other things you wrote, I understand, it is your point of view and I respect it, I just think differently.

[pony-montana]

chromium is not an easy beast to manage: are you sure that a one-man injecting code at build-time is a secure and maintainable approach? This approach is really bad considering how it could break some mitigations and security assumptions (like CFI, already broken in cromite).

I think that the actual development model is far far worse in these terms.

I don't understand, can you please explain?

I intend, to add a functionality it needs to be added someway. Building it at compile time with the browser is not a standadized way to do it and open the doors to a range of security and privacy problem far more dangerous than what could come from the standardized and contained (mv3 in particular) extensions interface. Cromite is a sort of one-man project, and even if you are good at write and implement the functionalities, these approach add a lot of development-debt in terms of how much man-work would need to maintain these functionalities; and, most important, how this added code messes with other part of the upstream code from a security perspective.

edit: A lot of chromium mitigations are very deep and complicated, and have a lot of ramifications in improbable areas of the code. Messing with them at compile time AND still manage to keep it secure is something that entities like microsoft, brave, ecc do. They have payd workers, bug bounties ecc...

[uazo]

Building it at compile time with the browser is not a standadized way to do it and open the doors to a range of security and privacy problem far more dangerous than what could come from the standardized and contained (mv3 in particular) extensions interface.

Yes, it is true, it is a danger that exists. one forgets, however, that some functions modified in b/cromite are not accessible by extensions, and allowing extensions to have more power generates the same danger. even if only to give an example unrelated to adblock, canvas blocker mitigations are useless made only through extensions. The 'cookie autodelete' extension itself cannot really delete all session data.

and, most important, how these added code messes with other part of the upstream code from a security perspective.

True, a suitable team would be needed, which there isn't one here, but security-related changes are minimal and I normally only try to enhance logics already pre-set by chromium. if you find a patch of mine that you have doubts about, please ask.

as far as fingerprinting is concerned, I think it would be better not to install any extension, in this browser. the principle is the same as tor, better to look all the same, at least in behaviour: having an extension that differentiates you, in a browser with few users, is even worse. Just the rules you decide to enable in ablock already allow you to differentiate yourself from others.

Messing with them at compile time AND still manage to keep it secure is something that entities like microsoft, brave, ecc do. They have payd workers, bug bounties ecc...

Here again, my perspective is different: they serve their interests, I mine as a user. sure, the great thing is not to be alone, but what can you do? hope it is someone serious who will put this browser to the test. we shall see.

[foxjaw]

Avoiding extension support is the best way to reduce attack vector. I donno about technically apt users but, the majority ones surf extension store like a restaurant menu & install whatever works for their use case. This brings a whole lot of loopholes in the browser's security & will turn vulnerable.
Infact, @uazo's thinking of removing the support for desktop variant too, which I think no browser dev thought of this till today.
Bromite's principle goal was always been security & privacy first in mind. I believe same applies to Cromite as well. It's always been convenience vs security. You wanna gain one, you always lose one.

Another reason to reject the support, is the breakage of FOSS environment. Extensions allow user to use non FOSS extension projects as well as the servers that they connect to. If the browser itself is open, but the extensions aren't, then the overall environment of the usage won't be FOSS anymore.

[pony-montana]

however, that some functions modified in b/cromite are not accessible by extensions, and allowing extensions to have more power generates the same danger. even if only to give an example unrelated to adblock, canvas blocker mitigations are useless made only through extensions. The 'cookie autodelete' extension itself cannot really delete all session data.

I think that patches cant be totally avoided, chromium itself is not a "product ready-to-ship", and lack most basic functions that need to be implemented someway. But in my opinion the most solid approach would be minimize the patches and include only the most simple and useful (something like ungoogle-chromium does, to make an example) and use extensions for what they are intended for. The benefits of this approach are discussed in the previous messages.

I understand your view and how it is different from mine, and if you proceed with your vision I hope it will work well for cromite. There are a lot of variables in the game and I don't exclude that your approach could reveal benefits that at moment I can't see.

[uazo]

But in my opinion the most solid approach would be minimize the patches and include only the most simple and useful and use extensions for what they are intended for.

that approach is not feasible. perhaps I have not made myself clear: extensions do not have the power to restrict what patches do. secondly, changes made with extensions are easily traceable

(something like ungoogle-chromium does, to make an example)

I have never checked the ungoogled patches, but I will (sooner or later).

[foxjaw]

On desktop chromium forks, I believe no project removed extension support completely yet. On android chromium projects I believe no one enabled extension support other than kiwi & yandex (where both are closed source & failed drastically). Ungoogled chromium did nothing but removing google services & dependencies apart from being just another chromium out of the box.

[uazo]

there's also edge apparently

https://9to5google.com/2024/01/31/microsoft-edge-android-extensions/