You may have seen the frightening warnings that Google Chrome will pop when installing a theme. “WARNING! This extension will follow you home from work!” Eek!
OK, it’s not that bad, but it can feel like it. To be fair, Google is just trying to warn you of what could happen, not what will happen. It’s kind of like your mom following you around and telling you not to get run over every time you cross the street. I appreciate the consideration, but…
This scary warning problem hit our radar because Brand Thunder Chrome Themes trigger one of them. We dug into the details and thought we’d share our findings here. I’ll go into our specific warnings and why they happen and give a look at some of the others you may encounter. Ultimately, we just want you to “practice safe surfing!”
Depending on the extension you install, it might need legitimate access to various things to do its job. For example, if you see the message that the extension can have access to “your private data on all websites,” this usually means that the extension is inserting content scripts into a page. (What the what!?!)
Content scripts are used to make changes to what’s being shown on a page. Brand Thunder’s toolbar layer (the interactive part of our interactive browser themes) is actually a small frame added to the web page in Chrome. Chrome prohibits toolbars, so it’s a workaround. Another example is an extension for blocking ads. Since it needs to modify the execution of the page to not show ads, the ability to modify page content brings you a desired functionality but also triggers the warning.
In both cases, the functionality offered means the extension can have the ability to read information submitted on the page, which may include private data. This is not to say the extensions are going to do this or do something malicious, but an extension could if the extension author is doing something inappropriate and built the extension specifically for this purpose.
That’s why you should only download extensions from authors you know or trust (they have positive reviews, a lot of users, good reputation, great brands and so on). This is the same rule to follow when installing software in general.
The warning pictured above is the one that haunts our Chrome theme installations. Below is a list of the warnings that Google Chrome may generate and a brief description of what they mean.
Did we miss any Google Chrome Warnings? If so, let us know in the comments.
| Warning message | Manifest entry that causes it (What it’s accessing) | Translation |
|---|---|---|
| All data on your computer and the websites you visit | “plugins” | Understand this one. The developer is using NPAPI plugins, which means they have some old software they’ve already written and are using it so they don’t have to write new code. This could create a serious security risk if you’re getting the extension from an untrusted source. Google manually review these because of that risk. |
| Your bookmarks | “bookmarks” permission | Can you guess? This extension can either manipulate or provide a new organization interface to your bookmarks. |
| Your browsing history | “history” permission | This extension could add, remove or look at URLs you’ve previously visited. |
| Your tabs and browsing activity | Any of the following:
|
This means the extension could be used to create, modify, and rearrange tabs in the browser or its browser windows. It also means communication can be collected by the extension about navigation which can be related to the window, tab or site you’re interacting with – like if a page doesn’t load that can be reported back. |
| Settings that specify whether websites can use features such as cookies, JavaScript, and plug-ins | “contentSettings” permission | Content settings allows extensions to change whether websites can use features such as cookies, JavaScript, and plug-ins. It allows customization of Chrome’s behavior on a per-site basis instead of globally. |
| Your data on all websites | Any of the following:
|
Too overreaching to be helpful. Pretty scary warning with no real commitment to what’s happing. Using a “debugger” command will trigger the warning, but the extension is just looking for help understanding why things went wrong. Since it bundles up information about the current state of a crash – it can technically send all the info back to the developer. If you’re embarrassed about the sites you visit and your browser crashes a lot – maybe reconsider this. |
| Your data on {list of websites} | A match pattern in the “permissions” field that specifies one or more hosts, but not all hosts | Kind of like the warning above, but information sharing is limited to 3 specific sites or subdomains of the same site. |
| Your list of apps, extensions, and themes or Manage themes, extensions, and apps |
“management” permission | Extensions that cause this warning have the ability to manage your extensions or apps. They may change the new tab experience as well. |
| Your physical location | “geolocation” permission | Extensions using this feature can determine your location and do not have to ask permission. |
| Data you copy and paste | “clipboardRead” permission | Allows the extension to use “copy,” “cut,” and “paste.” Though you probably figured this one out. I’m assuming this is how some tools take a word you’ve highlighted and put it in the search field. |
| Privacy-related settings | “privacy” permission | Any time you see privacy, you should pay attention – but it doesn’t mean panic. The way Google Chrome uses autofill on web forms, or Google Instant in their search are types of functionality that are helpful but would trigger this warning. |
