Disable Auto-Updating Extensions #3811
Labels
closed/duplicate
Issue has already been reported
priority/P5
Not scheduled. Don't anticipate work on this any time soon.
Description
When I look at the extensions list in Brave, I see no way to disable automatic updates. In Firefox, I can disable automatic updates of extensions on a per-extension basis. In Chrome, I cannot disable automatic updates of extensions.
It is possible that Brave doesn't do auto-updates of extensions at all, in which case I can change this issue to be one of documentation, since searching the internet and GitHub issues didn't yield any results that indicated one way or another, so my default is to assume it behaves like Chrome dose.
Brave version (brave://version info)
Revision | 909ee014fcea6828f9a610e6716145bc0b3ebf4a-refs/branch-heads/3683@{#803}
OS | Windows 10 OS Build 17763.379
Additional Information
Automatic updates can be an attack vector where you compromise a single extension author's private keys/password and you can then distribute malicious code to every user of that extension. By default, extension automatic updates should be disabled. Users should be able to enable automatic updates if they choose, but I'm generally a fan of "secure by default" and I don't believe that the benefits of auto-updates of extensions outweighs the costs of auto-updates, unlike browser updates which do carry significant benefits with regards to the web as a whole.
Alternatively, if defaulting to auto-updates on is deemed worth it, then there should be an option to disable automatic updates like Firefox has, ideally on a per-extension basis. An extension with minimal access to anything may be worth auto-updating, while a security critical extension (like a signing tool) may not be.
Note: If this is already a feature then we can turn this issue into a documentation request, as I was unable to find any information on Brave's extension update policy.
The text was updated successfully, but these errors were encountered: