Adjust messaging (or remove) for side loading of extensions

[bbondy]

Test plan

1. Open https://developer.chrome.com/extensions/samples in a new tab
2. Download one of the sample extensions and unzip
3. Visit chrome://extensions/
4. Enable developer mode
5. Click Load unpacked and then pick the folder where the extension was unzippped (step 2)
6. Warning should not be shown (see picture below for example)
7. Restart browser
8. Warning should not be shown on startup (see picture below for example)

Description

We inherit the following UI from Chromium:

We should adjust the messaging for this since we sometimes recommend certain extensions be manually installed when the Chrome store doesn't allow them.

Note that we don't have our own store right now, so this isn't about policy of what should or shouldn't be allowed.

We definitely don't need to keep showing it every time you launch the browser.

[rebron]

A suggestion from #1432 is to remove notification from dev channel but keep warning in release/beta.

[BriantGea]

Not sure exactly what all this means..... but having that stupid developer warning keep popping up every fucking single damn time you launch the browser is fucking annoying as fucking hell.

I got it the first damn time... I am not a 3yo that needs to be told something every 3 fucking minutes.

[bbondy]

I wasn't aware it pops up every time you launch the browser, I put a comment for that in the issue's first post.

[Mr-Mondragon]

A suggestion from #1432 is to remove notification from dev channel but keep warning in release/beta.

To be honest, this is not a good idea. This more or less 'forces' people to use a dev version (or put up with the nagging popups forever). I am a normal user of Brave, and as such I should be using the official version. Besides the fact that I keep things up to date with package managers, and using dev channel would cause extra maintenance effort.

[Mr-Mondragon]

Let me please stress this again, as I think security is the most important concern of all this:

Keeping the same popup showing up every time makes security WORSE, not better!

I totally understand the reasons for this popup. Really. But I have a self made developer extension, and Brave warns me every single time. Despite the fact that I am with absolute 100% certainty NOT at any risk. Extremely annoying. After doing this a 100 times or so, clicking it away becomes something automatic, you do it unconsciously.

Can you please reconsider this feature, but with two critical changes:

1. Only offer the option to not show the warning again for that specific version of that particular extension. Whenever a different extension is loaded, or if this one is changed (!) the warning should appear again.
2. Maybe make the "do not warn me again about this specific version of this particular extension" feature optional. So by default it's not there, but you can enable a setting to get it. To protect the user from doing this accidentally.

I think overall security would be served best by this approach. Better than how it's done now, which introduces the risk that people develop the habit of clicking away the warning automatically. Very dangerous, this is not what we want if we have security in mind.

Thank you for your consideration.

[JimmyMJB2]

I only recently fully committed to using Brave as my primary browser after the Firefox certificate fiasco.

My decision to abandon Firefox (after using it since its inception), wasn’t so much for how avoidable that whole catastrophe was. It was the culture that revealed itself when I looked into the cause. Immediately upon switching to Brave, I messed around with sideloading extensions. When I saw the popup, I wasn’t bothered at all. Totally makes sense to warn a user when they make a change like that.

Then it happened again. The third time it happened I thought, certainly I can find the setting to turn this off. When I couldn’t, I’ll admit I was pretty disheartened.

It’s a simple thing, but having just experienced all of my extensions being disabled 'remotely' (without any official way for me to remove Firefox’s boot from my neck) it chipped away a bit of my confidence in Brave.

I have no doubt there are other Firefox refugees that are moving to Brave for this very same reason. And I know some of them got the same vibe when they saw that warning wag its finger at them with no option to disable it.

Love the Browser. You’re doing a great job. Keep it up and please – keep it open.

[BriantGea]

I wasn't aware it pops up every time you launch the browser, I put a comment for that in the issue's first post.

Yep,
EVERY SINGLE TIME......... supper annoying to have to deal with for an extension I don't foresee removing.

[Mr-Mondragon]

In short:

1. Don't just remove the warning.
2. Make it optional to remove the warning, but only for that specific version of that specific extension.
3. Make the option optional, i.e. don't show the "don't show this warning again" checkbox in the popup, unless it this feature is explicitly enabled somewhere in the settings. To make absolutely 100% sure nobody is missing any warnings by accident.

This seems the most sensible approach to me, and more importantly: the safest approach.
Safer than it is now.

[ArakoKatoc]

Showing the warning once a week. Once a month... hell I'll even take once a day, that's really -really- annoying and makes me consider whether I want to continue using brave, but I can swallow it. Fact is I've already sideloaded an extension, whatever damage it can do, is already done. Warning me about it every time I open the browser is only driving me to either 1) change browsers to something else, or 2) Ignore the warning entirely, and click blindly through whatever warnings Brave wants to throw up there any time I log in, so if you have -any- other security-related warnings, they better all be a thousand times less important than this one, because this one is going to make me ignore the content of literally any warning Brave puts in front of me.

In order for me to be sideloading an extension, I need to have a capacity through my own ability, or someone close to me who can walk me through it, to use my browser at an elevated level. There is nothing that irritates me more than a program that treats me like a child. I know what I'm doing, I know the risks, and it's my computer, my browsing experience, I should be the one making decisions. Caveat Emptor. Let it be on my own head.

[onmyouji]

Keeping the same popup showing up every time makes security WORSE, not better!

Agree, this has been mentioned so many times, I hope they read the comments and understand our concerns. It's not just about the popup being annoying.

The popup is supposed to warn us about malicious extensions, but it becomes useless because users (who sideload their own extensions) just instinctively close it.

[BriantGea]

Anyone that is going to be doing this very likely has SOME BASIC knowledge of technology.
This isn't something your grandma and grandpa are going to be doing..... this warning is pretty pointless if you ask me.
I mean really..... think about who your target audience for this browser is................

[ArakoKatoc]

Anyone that is going to be doing this very likely has SOME BASIC knowledge of technology.
This isn't something your grandma and grandpa are going to be doing..... this warning is pretty pointless if you ask me.
I mean really..... think about who your target audience for this browser is................

I mean... maybe you should consider the fact that you don't know their target audience... I'd characterize their target audience as a large market share of privacy conscious individuals, and to that end, a warning that you have deliberately chosen to configure your browser in an insecure fashion does make sense, however requiring an equally convoluted and complicated method of disabling or delaying the message would be able to accomplish the same goal without irritating people who write their own extensions that they don't -want- loaded publicly.

[Mr-Mondragon]

a warning that you have deliberately chosen to configure your browser in an insecure fashion does make sense

It is certainly not necessarily in an insecure fashion. For example, if you wrote the extension yourself and are just using it locally.

[ArakoKatoc]

I believe what they're INTENDING to say here is that having developer mode enabled to allow the sideloaded extensions is inherently insecure. Not that the extensions themselves are. I'm not sure on that though.

[BriantGea]

I mean... maybe you should consider the fact that you don't know their target audience... I'd characterize their target audience as a large market share of privacy conscious individuals, and to that end, a warning that you have deliberately chosen to configure your browser in an insecure fashion does make sense,

Um.... yes that is their target audience. o.O
Privacy conscious individuals are the ones that KNOW what is being done with our information and the dangers it is leading too. So I would say they know the dangers of manually installing an extension.
(So again... don't need to be told even once a month... hell even once a year..... that they have a manually added extension.)

[Kaerakh]

Hi,
I load an extension I do not intend to publish.

The first time I received this notification I thought it was considerate and I appreciated it.
20+ new sessions, and an equal number of prompts closed later I do not appreciate this notification and it is adversely affecting my user experience. Please add an option to not show again or to not show again for currently loaded extensions.

This outlined scenario is not a security concern. The user in the outlined scenario has either ignored the notification or understands and acknowledges the notification. There is no security or legitimate reason to repeatedly prompt the user with the same notification over and over ad infinitum.

[ArakoKatoc]

@BriantGea You're conflating security conscious with technologically capable. Just because someone wants their data kept private, and knows that Brave is a browser that keeps that in mind, doesn't mean they know anything about extensions and the dangers they might present. Meaning that those with the technological background to be considered to have informed consent at the outset without a warning in the first place are actually just a small subset of those people who are their target audience. Average users within their target audience may have no idea how dangerous extensions can be.

That said. After a hundred warnings I'm pretty sure either we understand the risk and don't care, or we're ignoring the warning. Either way the warning is no longer serving a purpose.

[BriantGea]

@BriantGea You're conflating security conscious with technologically capable.

Just because someone can't make an extension doesn't mean they don't know the very basics of how they work.
And anyone that is security conscious knows that a lot of apps on your phone have code to harvest your personal data.... and an extension is similar. (Just instead of adding to an OS you are adding it to a browser)

But yes, as the "warning" is now... it only serves to drive people away from the platform.

[GriNours]

Thank you for putting it in the roadmap rebron :)

[bsclifton]

@kiloJuliet an alternative to the Chrome Web Store is possible - the URLs recognized by Chromium are in src/extensions/common/extension_urls.cc (variable is called kChromeWebstoreBaseURL).

I'd suggest making a new issue capturing your feedback in a way that can be actionable (Add support for more than one official store, etc) as this issue is for hiding the side loading notification. Thanks! 👍

[rossmoody]

This may need additional investigation. I am no longer getting this warning on Nightly.

[bsclifton]

interesting - I wonder if this was impacted by the field trial changes that were just merged?
cc: @jumde

[jumde]

Its related to ExtensionDeveloperModeWarning experiment being turned off, i'm not sure what the final decision about the change is, but it can be easily enabled/disabled. cc: @tomlowenthal @bsclifton

[tildelowengrimm]

My preference is to continue displaying the warning as before in all CI builds except for a special actually-for-developers build (like Firefox has) in which it can be disabled. In the absence of a special developers build, I'm begrudgingly okay with allowing a preference to disable it in Nightly and in Dev.

[bsclifton]

Since this is currently disabled, because of the field trials... I'm going to close this issue

@tomlowenthal can you create a new issue for the behavior you think makes sense? 😄

[tildelowengrimm]

New issue is #5063.

[kjozwiak]

@bsclifton is there anything QA can do here? Sounds like this was disabled due to the field trials work. Would a simple test case of side loading an extension manually and making sure the modal popup doesn't appear be sufficient? If there's anything else that needs to be QA'd here, please let me know 👍

[bsclifton]

@kjozwiak that would be a great test - let me add the labels and some test steps

[kjozwiak]

Great, thanks @bsclifton! Much appreciated!

[bsclifton]

@kjozwiak top posted edited 👍

[btlechowski]

Verification passed on

Brave	0.68.128 Chromium: 76.0.3809.100 (Official Build) beta (64-bit)
Revision	ed9d447d30203dc5069e540f05079e493fc1c132-refs/branch-heads/3809@{#990}
OS	Ubuntu 18.04 LTS

Verified steps from the description.

Verification passed on

Brave	0.68.128 Chromium: 76.0.3809.100 (Official Build) beta (64-bit)
Revision	ed9d447d30203dc5069e540f05079e493fc1c132-refs/branch-heads/3809@{#990}
OS	Windows 7 Service Pack 1 (Build 7601.24494)

Verified steps from the description.
Logged #5653

Verified passed with

Brave	0.68.130 Chromium: 76.0.3809.100 (Official Build) (64-bit)
Revision	ed9d447d30203dc5069e540f05079e493fc1c132-refs/branch-heads/3809@{#990}
OS	Mac OS X

• Verified Test Plan from description.