Is there any way to only allow chrome extensions to update with permission? It seems like any extension on the store could become malicious overnight, automatically, for millions of users.
Most users have no way to vet a chrome extension update (or on initial install). If we want strong security for everyone, we need better solutions than that
AFAIK there are two ways for this, neither of which is convenient to use: install all extensions from the source (you can unpack an existing crx for it or use their clonned repo if it's opensource) or use a group policy to disable extensions autoupdate and update each of them manually when the new version has something you want.
I don't think so. However, extensions are automatically disabled if they request more permissions. And in Manifest v3 most extensions won't have access to most pages unless you click on them.
Personally I have 15 extensions installed. Only four of them have access to all sites, and two of those are because they are not updated to Manifest v3 yet. I didn't say it was impossible for a Manifest v3 extension to have access to all sites. Most will not.
Can a firewall rule distinguish between an extension update and a new install? Would blocking the entire chrome web store cause other problems in chrome?
