> Chrome have fortunately recently released a "extension side panel" mode, and since only DOM changes can be easily identified, using the chrome extension side panel would be virtually un-detectable however this is far less intuitive to use and requires the user to perform some action to open the sidepanel every time they want to use the extension.
replyAs an end user I could not find an option to open the side panel
Yeah I mean it's not very commonly used by extensions. I quite like it as it's completely isolated and not detectable.
I built my first extension which uses it as the primary interface yesterday: https://github.com/Am-I-Being-Pwned/PGP-Tools
reply`use_dynamic_url` seems like it should be enabled by default, maybe with a phase-out period for backwards compatibility with older extensions.
replyYeah I agree. All new extensions should have this for their web_accessible_resources.
replyWith that said, the chrome web store ecosystem has bigger problems infront of them. For example, loads of extensions outright just send every URL you visit (inc query params) over to their servers. Things like this just shouldn't happen, imagine you installed an extension from a few years back and you forgot about it, that's what happened to me with WhatRuns, which also scraped my AI chats.
I'm working on a tool to let people scan their extensions (https://amibeingpwned.com/) and I've found some utterly outrageous vulnerabilities, widespread affiliate fraud and widespread tracking.