Support for Extensions?

[dhananjaipai]

Preliminary checklist

• [X] I have read the README
• [X] I have read the FAQs.
• [X] I have searched existing issues for my feature request. This is a new issue (NOT a duplicate) and is not related to another issue.
• [X] This is a feature request for the Cromite browser; not the website nor F-Droid nor anything else.

Is your feature request related to privacy?

Yes

Is there a patch available for this feature somewhere?

Not sure

Describe the solution you would like

I see that Kiwi and Yandex browsers have support for adding custom chrome extensions. I am a noob when it comes to Android apps, mods and patches, but just wanted to know if it would be possible to have support for chrome extensions ?

Describe alternatives you have considered

Using multiple browsers

[foxjaw]

Interesting. If they continue shipping it in the release variants, then I guess Google Chrome will follow the same trend to retain market share. They're destined to be insecure already. This feet is predictive in nature. I believe they'll bring into the stable release when MV2 is deprecated completely (and hence the advent of content filtering halts).

[pony-montana]

that approach is not feasible. perhaps I have not made myself clear: extensions do not have the power to restrict what patches do.

this statement seems too hard to me. Really are extensions not capable to restrict what patches do for ALL the functionality? Couldn't be considered, for some functionality, a "security feature" not being able to restrict what patches do?

secondly, changes made with extensions are easily traceable

Changes in general are easy traceable, how they are made is not so relevant. The possible advantage of your approach is that it creates uniformity across the users of the browser. It is not a real advantage unless a more larger pool of users start using it and create a sort of sufficiently-large anonimity set. As today, use cromite with his patches IS the fingerprint, from this point of view.

Ungoogled chromium did nothing but removing google services & dependencies apart from being just another chromium out of the box.

ungoogled-chromium adds a lot of flag (even some fingerprint mitigations from cromite). They are not exposed to the settings and disabled by default, but an advanced user can do a lot of setup over a simple "chromium out of the box".

I strongly disagree with the fallacy seems exposed from some people here: "a lot of extensions are a security risk" -------> "extensions are a security risk"

Every tool is bad if the user uses it bad. Hyde the function behind a hidden flag will mitigate all the security concerns in my opinion.

[foxjaw]

I strongly disagree with the fallacy seems exposed from some people here: "a lot of extensions are a security risk" -------> "extensions are a security risk"

"They are" a security risk. Extensions are like subprograms inside a main program. When the main program itself is FOSS & privacy / security oriented, then the subprograms (if exist) supposed to be the same. Unfortunately, the extension store also ship a lot of proprietary extensions. If there a store such as f-droid, but for extensions, could've been secure & made possible. But right now it doesn't seem to be the case.

Every tool is bad if the user uses it bad.

Define bad please. "Security risks" here means they're loopholes that introduce vulnerability that might be benefitted by the proprietary extensions, which users tend to install.

Hyde the function behind a hidden flag will mitigate all the security concerns in my opinion.

It's the same issue of chicken egg situation. There are users who deliberately aim for extension supported browsers & then use risky extensions on top of that. Because such users need those in their workflow.

[pony-montana]

Users are free to install proprietary extensions and assumes their risks, I don't see the problem with free of will of individuals. I think is important to protect more vulnerable and inexpert people with "sane defaults" (like setting extensions disabled by default). Is literally the tradeoff that android does with third party apps from outside the playstore. Apple, in name of security, does exactly what you want to do with extensions, for the same reasons (+ other economic reasons). I think that imposing this tipe of restriction over the user is not a good approach.

[foxjaw]

Users are free to install proprietary extensions and assumes their risks, I don't see the problem with free of will of individuals.

This also means you are also free to use browsers that support extensions. Please go ahead & use Kiwi or Edge Beta, as they already are on that path.

I think is important to protect more vulnerable and inexpert people with "sane defaults" (like setting extensions disabled by default).

That helps no one actually. Why introduce a risky feature & then disable it by default ?

Is literally the tradeoff that android does with third party apps from outside the playstore. Apple, in name of security, does exactly what you want to do with extensions, for the same reasons (+ other economic reasons).

First of all, the Android & Apple example you just gave, is not at all has connection with this feature. Android does this, because it's FOSS. Play Store does opposite, because it's proprietary. Again, same issue with Apple because it's proprietary too. You are free to fork Cromite, hire a bunch of developers (or yourself) & introduce the features that you like. And then publish it with the same license. But as far as Cromite project goes, I don't think it's a right choice to support this, because of the proprietary introduction & other risk factors involved with it.

I think that imposing this tipe of restriction over the user is not a good approach.

It's not a restriction. It's a principle that Bromite (now Cromite) tends to follow. Security is primary, & then anything is secondary.

[pony-montana]

That helps no one actually. Why introduce a risky feature & then disable it by default ?

because it is a useful feature.

For the analogy with android and apple I think you are not on point. You dont need to fork android to add third party app source, FOSS has nothing to do with that feature.

[uazo]

this statement seems too hard to me. Really are extensions not capable to restrict what patches do for ALL the functionality?

you don't have to believe me, document it yourself.

Changes in general are easy traceable

um... complex topic. changes are easily traceable to what? what i'm saying is that extensions are easily traceable, i don't mean changes. for fingerprinting, in my opinion, behaviour must be considered, not changes. and it must consider behaviour among those detected, in the hope of matching the same user. the aim is to make the match difficult by widening the range that generates the statistical error and at the same time disable what the browser grants sites for their business and marketing. if services on the internet are free, there is a reason, and the reason is you. moreover, google, as the producer of chrome, has limits it cannot exceed: if it deactivates third-party cookies, it must provide an alternative, otherwise the various antitrust authorities will storm it.

The possible advantage of your approach is that it creates uniformity across the users of the browser.

precisely

As today, use cromite with his patches IS the fingerprint, from this point of view.

You are right, if we are talking about tracking between different sessions: the only possibility in fact is that it will be used by several users with the same ip. and in the meantime the user should use a different ip between different sessions. but it is a problem common to all browsers. i would like to create a proxy for all cromite users in due course, but it is not easy, because it must have the right characteristics and above all it must relieve those who maintain it of legal problems.

"a lot of extensions are a security risk" -------> "extensions are a security risk"

i never said that. i only said that extending what they can do to allow them to do more is risky. more risky than patching the browser.

Every tool is bad if the user uses it bad.

You are right about that too, but I wish this browser could be used as it is even by those who know nothing about security and fingerprinting

I don't see the problem with free of will of individuals.

neither do I!

It's a principle that Bromite (now Cromite) tends to follow. Security is primary, & then anything is secondary

I like that at least you have a clear idea of what cromite is, I still don't :)

[foxjaw]

because it is a useful feature.

More useful doesn't mean more secure. It's inverse. For instance, here's how the Brave Browser handled it, despite being FOSS.

For the analogy with android and apple I think you are not on point. You dont need to fork android to add third party app source, FOSS has nothing to do with that feature.

FOSS licensing is the huge reason that has everything to do with this feature. Play Services is just a system service that is shipped on Android, as well as iOS (may be Windows too ? I donno). It comes as a side service beside Android. Hence it can't dictate whether the operating system should prohibit sideloading or not. But Apple does this, because they're completely proprietary.

I think the discussion shouldn't go offtopic.

[pony-montana]

FOSS licensing is the huge reason that has everything to do with this feature

windows permits third-party-source installations using .exe format, this design choice has nothing to do with foss.

Here you are proposing the same tradeoff as apple make on IOS, if you permit me the parallelism: consent to extend functionality of the product only by submitting them to a centralized source and following their rules, decisions and quality-control. In the apple case is the app-store the centralized source; here is the centralized point of development for shipping patches in cromite. In either cases the design choice is to restricting user possibility to access a free market of software to extend the product. This will probably keep safe some users from screwing up themself and could be a good choice for security. For me is the wrong tradeoff.

Obviously, there are a lot of differences from cromite case and the ios case, they aren't totally equiparable. But with a bit of abstraction, I think this parallelism could be on point.

i never said that. i only said that extending what they can do to allow them to do more is risky. more risky than patching the browser.

I don't agree and consider the security risk of patching higher in a lot of cases (for every cases where a user install only verified and trusted extensions basically).

I would like to create a proxy for all cromite users in due course, but it is not easy, because it must have the right characteristics and above all it must relieve those who maintain it of legal problems.

This seems really ambitious.

I understand the direction of the project and how it is different from my views. I wish you all the best for cromite and I hope It will be useful for a lot of user :)

[foxjaw]

here is the centralized point of development for shipping patches in cromite.

You can also mailing list @uazo the patches too. GitHub is just a platform to host the code & manage the repository. I don't see what's centralised here.

screwing up themself and could be a good choice for security. For me is the wrong tradeoff.

For "you", it's a wrong tradeoff. For security conscious, it isn't.
What feature does cromite not have that you must need extension support ? Be elaborate on that please.

I wish you all the best for cromite and I hope It will be useful for a lot of user :)

FOSS projects don't sustain by pleasing the users btw. They only sustain because a developer intended to use by himself & users tend to stick to it because they liked it.
"A lot of users" is not the goal of cromite at all if you hope so. That's basically too much burden for uazo ;)

[Secret-chest]

Not all Browser's extensions respect privacy or security,

Not like Chrome does. Also, no one forces you to install them.

Probably (Sometimes) they mess-up Browser's fingerprint uniquely.

What?

If in-case an extension has problems, they need to be bug report to extensions developers, but mistakely complain to Browser's Developer & that gets irritated & frustrated.

Then just tell them to disable the extensions.

[Secret-chest]

If in-case an extension has problems, they need to be bug report to extensions developers,

this could be true

You should clearly stare issues should be reproductible without extensions.

[Secret-chest]

not necessarily, the use of extensions could increase the attack surface for fingerprinting scripts, making your browser different from others and therefore more easily tracked, not to mention that the extensions themselves can be the tracers. it's a matter of figuring out what's best, but don't worry, the issue is here but I don't think I'll be able to get into it for a few years :(

Add a warning!

[Secret-chest]

There's a reason for privacy focused projects like these to consider removing elements that increase the attack surface. You are not understanding the ramifications of convenience vs security problem. Both are opposite to each other. And one has to give up the former in order to gain the latter.

ABP is not everything an extension can do for security or privacy.

[Secret-chest]

Avoiding extension support is the best way to reduce attack vector. I donno about technically apt users but, the majority ones surf extension store like a restaurant menu & install whatever works for their use case. This brings a whole lot of loopholes in the browser's security & will turn vulnerable.

Just make extension support optional, disable it by default, add a warning...

Another reason to reject the support, is the breakage of FOSS environment. Extensions allow user to use non FOSS extension projects as well as the servers that they connect to. If the browser itself is open, but the extensions aren't, then the overall environment of the usage won't be FOSS anymore.

You aren't forced to use nonfree extensions.

[Secret-chest]

Unfortunately, the extension store also ship a lot of proprietary extensions. If there a store such as f-droid, but for extensions, could've been secure & made possible. But right now it doesn't seem to be the case.

We can support extensions without supporting the store.

[DI555]

anyway, always would be possible to have two profiles for the browser - one with extensions, and second without it.. for banking or smth..

but, another fact is that even workable extensions system on android (kiwi) has huge author’s aggressive blobs that not giving full extensions work((, but we have a source code of that extensions realisation at least!!!

[uazo]

I think, if I have time, I will attempt to port the kiwi extension activation patch to cromite.

i would like to remove a doubt, namely whether it is easier to create internal browser extensions in javascript rather than develop them directly in c++ and java, also because i think it is easier to find collaborators in javascript rather than someone capable of understanding that gigantic amount of c++ code.

but that's just an idea... it depends on how much work there is behind it. In any case, I am thinking about it.

EDIT: ah, obviously, no ETA

[foxjaw]

The Geometry OU devs have some sort of Azure server automations for their paid contributors. This business model also allows them to be funded by Yahoo Inc. as default search engine.
Extensions are the very reason for their browser marketshare. If uazo digs into this by using their patches (ofc you gotta agree their license agreements), I think you should be ready because they're gonna come after cromite caz it hurts their business. Just make sure you also keep these things into consideration.

[uazo]

What is Geometry OU?

[foxjaw]

https://kiwibrowser.com/about/

[uazo]

ah, it's kiwi :) but no problem. their patches are BSD-3-Clause licensed

[Universalizer]

Alternative option or ideas from here also https://github.com/wchen342/ungoogled-chromium-android, GPL-3.0 license

[Universalizer]

These https://github.com/wchen342/chromium-android-extension/tree/master/patches/Extensions

[aicynide]

If you add extension support like Cromite windows in android app, i'll stop using Mull and will use Cromite as my daily driver

[foxjaw]

@aicynide If you're thinking of uBO, it still works better on firefox than chrome.
And no. Uazo don't give a d@mn about the userbase of cromite. There's nothing inside the browser that generates revenue for the dev.

[aicynide]

Browsers are unusable without extensions and userscripts

[9cento]

Browsers are unusable without extensions and userscripts

So much this!

[foxjaw]

Browsers are unusable without extensions and userscripts

It's fair to put your opinion. But you can't decide what's usable and what's unusable for everyone. The 95% of the users never used kiwi or yandex mobile browsers in their life. Google Chrome itself is used by 62%. You're from the rest of the 5% trying to claim the usability of extensions.

Cromite is FOSS. You are very eligible to fork the browser, patch the extension support yourself and create a pull request and he'll be glad to merge it if everything goes well. Unfortunately this is not his priority to work on.

[aicynide]

But you can't decide what's usable and what's unusable for everyone.

Ok

You are very eligible to fork the browser, patch the extension support yourself and create a pull request and he'll be glad to merge it if everything goes well.

Why do you think I or anyone asking for feature request is or have to be a Programmer? I'm a businessman. You are saying "But you can't decide what's usable and what's unusable for everyone" and now also forcing me to have technical knowledge? You aren't a normal person that's why always reply rudely

Are you by any chance a Communist/Zionist?

[foxjaw]

Why do you think I or anyone asking for feature request is or have to be a Programmer? I'm a businessman.

The feature request has already been opened. You aren't helping in any way by adding "me too" in this discussion. It's not gonna increase the priority of this FR. This isn't politics. If you have any valuable tips to give other than "please implement it quickly", you are free to do.

now also forcing me to have technical knowledge? You aren't a normal person that's why always reply rudely

This is a foss project. If you aren't willing to learn and contribute, there's no way the issues get resolved.

[Secret-chest]

If you aren't willing to learn and contribute, there's no way the issues get resolved.

If you aren't willing to change this mentality that FOSS is only for devs, FOSS will never see adoption, and users will make poor choices. Discussion is also a form of contribution.

[foxjaw]

If you aren't willing to change this mentality that FOSS is only for devs, FOSS will never see adoption, and users will make poor choices. Discussion is also a form of contribution.

That is what I've said. If you have any points to make regarding the feature request, please do. Adding a "me too" like a herd will not help anyone.

[sid44sid]

Dear @uazo Could you please check work of custom adblock scripts. Here is an example. If I use default adblock+ lists in Cromite, the highest score in d3ward adblock test (https://d3ward.github.io/toolz/adblock) is 65%. Then I add some custom scripts (some of them are recommended in d3ward FAQ). After that I get 99% score, but ads are still coming (especially incremented by Yandex). Please check attached screens.

Details

  

This is how web-pages are looking. :(

Details


But in Kiwi + Ublock + https://easylist-downloads.adblockplus.org/cntblock.txt no ads at all on the same page/phone.

Details


[TheHCJ]

+1 I would love to see this

[buawf]

Dear @uazo Could you please check work of custom adblock scripts. Here is an example. If I use default adblock+ lists in Cromite, the highest score in d3ward adblock test (https://d3ward.github.io/toolz/adblock) is 65%. Then I add some custom scripts (some of them are recommended in d3ward FAQ). After that I get 99% score, but ads are still coming (especially incremented by Yandex). Please check attached screens.

This is how web-pages are looking. :(

But in Kiwi + Ublock + https://easylist-downloads.adblockplus.org/cntblock.txt no ads at all on the same page/phone.

Whats the blocking percentage of Kiwi Browser with default lists ?

[xd003]

Looking forward to getting this done

[Rusenche]

I decided to experimentally test and installed arm64_ChromePublic.apk - https://github.com/uazo/cromite/releases/tag/v128.0.6613.120-c609027f1a1a0961bb668668edd866e741579109/

I'll be honest - without the ability to install extensions - whatever improves privacy, it's not for me. Even the basic - you open eg google to search for anything and whoop - immediately cookies. Well, this is just the beginning of the many inconveniences when there is no possibility to install extensions.

Tried looking for this flagchrome://flags/#extension-mime-request-handling - turns out it doesn't exist.

Tried to install crx file - again impossible.

Everyone should put his hand on his heart and admit to himself - does he like this type of Internet and if he doesn't like it - can he use the Internet without the possibility of installing extensions.

Privacy is one side of things, the other side of things is the ability to create convenience by being able to install extensions to use the Internet in its current totally advertising form. I was frank - in this kind of Internet as it is - it is inconvenient, but to use the Internet without being able to install extensions - I can't. Everyone has some personal tolerance threshold.

I repeat - I honestly admit - without installing extensions I can't. I have uninstalled Cromite from my android phone.

[xd003]

Extensions are essential for most users, and I believe they greatly enhance functionality. If its not too much effort, it can be made optional with a toggle for the 1% users. Moreover i think normies who aren't using any extension for browsing aren't gonna be using something like Cromite in first place, they must be using Chrome without any adblocking lol

[DI555]

worse of extensions lack - is only hided extensions deep down in chromium.. i reeded that they’re all deleted by the ungoogled team for their project.. hope, in Cromite will be the same way of its deletion!!!

[uazo]

I don't understand you, honestly. Leaving aside that slight hint of controversy, I do not understand how extensions can improve this browser.

why don't you make a list of possible extensions that are really useful for a browser like cromite wants to be? EDIT: excluding ublock, that I understood :)

[9cento]

why don't you make a list of possible extensions that are really useful for a browser like cromite wants to be? EDIT: excluding ublock, that I understood :)

I'll start: Privacy Badger, Decentraleyes, ClearURLs, HTTPS Everywhere, Redirect AMP to HTML, Don't track me Google, I still don't care about cookies, Tampermonkey. The list goes on...

[rywz]

why don't you make a list of possible extensions that are really useful for a browser like cromite wants to be? EDIT: excluding ublock, that I understood :)

I'll start: Privacy Badger, Decentraleyes, ClearURLs, HTTPS Everywhere, Redirect AMP to HTML, Don't track me Google, I still don't care about cookies, Tampermonkey. The list goes on...

There's no need for every extension provided here. uBlock Origin does everything needed to be done. And by integrating it to the browser itself, we wouldn't need any extension support or whatsoever.

[9cento]

why don't you make a list of possible extensions that are really useful for a browser like cromite wants to be? EDIT: excluding ublock, that I understood :)

I'll start: Privacy Badger, Decentraleyes, ClearURLs, HTTPS Everywhere, Redirect AMP to HTML, Don't track me Google, I still don't care about cookies, Tampermonkey. The list goes on...

There's no need for every extension provided here. uBlock Origin does everything needed to be done. And by integrating it to the browser itself, we wouldn't need any extension support or whatsoever.

I just listed the privacy-related ones because if we take into account the quality of life ones the list would go on forever, and those are even more needed if you ask me. But hey this thread is opened since forever, if there's no willingness to do the thing one could just say it, close the thread and call that a day imho

[uazo]

close the thread and call that a day imho

no, it's not like that. the desire is there, I just don't believe it to be a priority and above all there's still no one who is convincing me (technically speaking) that it is. because it is easy to list a list of extensions that might be useful for privacy, less so to check whether they actually are. anyway, i have the list now. i will look at their source code to see if there is anything actually needed in cromite (again in my opinion).

[pony-montana]

the only extension I would install is ublockorigin, and the reasoning for why enable extensions is the same reason why I cant have ublockorigin in cromite today. Add a new adblocker in cromite takes forever, and when there will be a new good extension that make sense for most of user to have it will take forever to be integrated in cromite. Just enable extension gives to people choice to add what they want. We agree that ublock origin is valuable to add. Then can it be added in the next release? Why not? And eyeo would be removed? It works, not so good, but works. This is the reason to just enable extensions: it seems to be impossible to add valuable extension in cromite in reasonable time. This is exactly why extensions exists.

[9cento]

the only extension I would install is ublockorigin, and the reasoning for why enable extensions is the same reason why I cant have ublockorigin in cromite today. Add a new adblocker in cromite takes forever, and when there will be a new good extension that make sense for most of user to have it will take forever to be integrated in cromite. Just enable extension gives to people choice to add what they want. We agree that ublock origin is valuable to add. Then can it be added in the next release? Why not? And eyeo would be removed? It works, not so good, but works. This is the reason to just enable extensions: it seems to be impossible to add valuable extension in cromite in reasonable time. This is exactly why extensions exists.

We've told him that and other valid reasons multiple times but he keeps arguing even on what is obviously true and right, at this point I think he just want you to keep begging to pump his ego more and more

[uazo]

ha ha, no ego to pump.

the basic reason is that the eyeo implementation is ready to be inserted, whereas ublock necessarily needs the activations of the extensions and, I think, much much more, including the ui and the possible security issues that would be created. that's all.

Then can it be added in the next release?

no, the work is immense, perhaps it's not easy to understand.

[9cento]

perhaps it's not easy to understand.

Exactly the pretentious reply I was expecting. Nobody thinks it's an easy task but I just wanted to remind you that this issue is opened since one year, I think that should suffice to do the job even if it's an hard one. Not saying that you have to tho, you owe us nothing, I'm just pointing out the obvious. I'm done, good luck and goodbye

[xd003]

Given the success of Cromite, it seems like it could greatly benefit from integrating elements of Kiwi's code, particularly in enabling extension support. While there are several Chromium-based browsers that offer this feature, many have controversially copied Kiwi's code without proper credit, and some originate from questionable sources. I won’t name them, but a few are even based in China, raising further concerns. If Uazo were to take this on and implement extension support in Cromite, the result could be far superior. Considering how highly regarded Cromite already is, adding this functionality could truly set it apart.