Brave-browser: Disable developer mode extensions warning every session

protects novice users. marking wontfix.

I think novice users don't typically side load extension so we're only punishing people who know the repercussions of doing this and not giving them the ability to suppress an annoying alert that surfaces every time they open Brave.

@rossmoody #1406 might solve this one as well?

@rebron apologies, didn't realize this was closed communally in a triage meeting. i'll reinstate your direction here and if community or someone else decides it's worth pursuing down the road it'll come about naturally.

I also want a way to disable this warning.

Let's re-open this and keep it a low priority (we don't have any official plans to prioritize it at the moment)

If a community member wanted to grab this, we could potentially add a new toggle switch on our settings page for it (and we can help answer questions / share examples that touch similar code)

This warning exists to protect people from malicious side-loaded unsigned extensions. Creating a way to turn it off removes that protection. You only see this warning if your browser is in a dangerous configuration state — which is what it's for.

Discussed at this week's security review and we agree that this is an important safety warning.

The warning is good, not being able to turn it off after I know the security concerns is a really annoying behavior. I have an SVG extension I'm never going to disable so Brave is immediately annoying every time I open it. This should really be addressed but we keep opening and closing the issue.

cc @bradleyrichter to add to the list of interruptions

Thought about this over a cheeseburger.

1. Could have it be surfaced as a passive 'toast' type of notification that doesn't require being explicitly dismissed by the user and disappears after a few seconds.
2. Could surface a button to suppress for a determined amount of time instead of indefinitely. Don't warn me again for 3 months.
3. Could institute some type of extension whitelist per profile.

Brave is annoying you because you are in a bad, dangerous, unsupported configuration. No end user should be using unsigned dev mode extensions. That SVG extension should be distributed through the web store, not by sharing the binary around. Extensions are one of the most substantial security risks in the browser, and explicitly only supported via the store. And malware authors have demonstrated that they're wiling to abuse any whitelist/preference/command-line-flag/&c. to get around these sorts of warnings.

I'm sorry, this one's a hard no from the security team.

What we could however do is make it optional but only on Dev channel builds. That channel has different guarantees from beta/release, and shouldn't be used by most people. I still very much dislike this approach, but it's only a soft no from me.

I'm dealing with the same issue. I have a self made developer extension, and Brave warns me every single time. Extremely annoying. After doing this a 100 times or so, clicking it away becomes something automatic, you do it unconsciously.

Please note, as this is very important: this makes security WORSE, not better.

People who deliberately sideload a dev extension typically know what they're doing. By bothering them with the same warning popup over and over, the warning loses its significance. For me, I probably wouldn't even notice if there is some other extension that I (perhaps accidentally?) loaded, one that might actually be risky, because I always click away the warning immediately without reading it. Now someone may say that's a mistake. I say it's extremely bad design to make people read the same thing hundreds of times and still think it helps security instead of damaging it. Theory vs practice, it just doesn't work that way.

Can I please suggest to reconsider, but with the following critical distinction: only offer the option to not show the warning again for that specific version of that particular extension. Whenever a different extension is loaded, or this one is changed, the warning should appear again.

Or perhaps if this makes a difference: maybe make the "do not warn me again about this specific version of this particular extension" feature optional. So by default it's not there, but you can enable a setting to get it. To protect the user from doing this accidentally.

Thank you for your consideration.

Brave is annoying you because you are in a bad, dangerous, unsupported configuration. No end user should be using unsigned dev mode extensions. That SVG extension should be distributed through the web store, not by sharing the binary around.

Not sure about the other guy's SVG extension, but I'm using my own self-made extension. I use it for automating various tasks in my everyday workflow. It's not a public extension. There's perfectly valid use cases for that and it's very safe.

Brave is annoying you because you are in a bad, dangerous, unsupported configuration. No end user should be using unsigned dev mode extensions. That SVG extension should be distributed through the web store, not by sharing the binary around. Extensions are one of the most substantial security risks in the browser, and explicitly only supported via the store. And malware authors have demonstrated that they're wiling to abuse any whitelist/preference/command-line-flag/&c. to get around these sorts of warnings.

I'm sorry, this one's a hard no from the security team.

What we _could_ however do is make it optional but only on Dev channel builds. That channel has different guarantees from beta/release, and shouldn't be used by most people. I still very much dislike this approach, but it's only a soft no from me.

Paranoia. As others have replied, that warning does not mean you are in a dangerous browser configuration.

There are legitimate reasons for using an extension outside of the chrome store - from using a homebrew to scroogle overlords forcing their worldview on developers and banning/deprecating extensions and apps (AutoforwardSMS & Dissenter, for example).

I would also like this.

Chrome recently removed the Dissenter extension in a censorship effort forcing me to manually install this extension.

I do think the warning is a good idea, but not allowing any sort of customization is not good. I'm sure many people will be doing the same manual install for the same extension, by manually downloading the file and importing it in the brave extension page. I dont need a constant reminder telling me I manually installed dissenter. I also don't need the dev team holding my hand, telling me which extensions I should and shouldn't use.

Thanks!

The excellent bypasspaywalls by Adam extension (which has been removed from the Chrome store) is an addon that many people love. The only way to add this extension due to Google's censorship is to side load it.
Why are we making it harder for people to take control of their own browsers? I don't want to restate the other arguments, but there are examples of censored or politically incorrect extensions that are not harmful but removed due to Goolag's draconian policies. We should be encouraging more freedom, not less; don't make it harder for the user to use the extensions they want.

I thought Brave was started because of the things big tech is doing.....
HOW are you seemingly unaware of them banning extensions from the webstores for having the "wrong" political views??

Annoying your customer base EVERY TIME we launch the browser is NOT going to make us safer or make us want to use your product.

I don't want to see this warning EVERY TIME i launch the browser............. I got it THE FIRST TIME!!!

Let us turn it off and/or make your own web store.

Crazy how this still isn't resolved. As already pointed out, there are NUMEROUS situations where one would wan to install an extension from an outside source. Showing that warning every time is just crying wolf, and defeats the purpose

what about an exception per extension - the rationale for the warning is sensible, so now need to figure out the other common use-cases.

the biggest threat is malware authors using scripts to auto suppress warnings, if the option is per extension instead of oh some extension is running in dev mode, that's a security risk be like this [name of extension] is running in dev mode, that's not great have a tick box to suppress the warning for 7-days.

It looks to me like they are showing this thread as cosed.... so does that mean they aren't going to change this stupid notice?? :'(

Do we have to open a new thread?

I agree with Mr-Mondragon, annoying the user with the same warning over and over is making security worse.
You should consider offering the possibility to whitelist developers extensions to supress this warning, or at least making it disappear a few seconds after it poped up.

I am EXTREMELY dissapointed with this.

I switched to brave thinking it treats its users like adults capable of their own decisions.

Now I get nagged because I installed Dissenter - which I cannot do on Firefox or Chrome due to them banning the extension because of draconian censorship decisions.

And don't give me the crap about GAB being Far right platform with hateful opinions on it. Gab is catching flak cause they directly compete with Twitter. 4Chan has a metric f$%kton of hate on it and no one gives 2 s%^ts.

At least give us a option to whitelist certain extensions. I agree that the user should be warned about developer extensions, but not being able to whitelist a known safe extension is absolutely ludicrous.

Agreed

I am still wondering if this will ever get looked at again as it is "closed"
Or
If we need to make a new thread........ I really don't want to deal with this stupid nagging message.

protects novice users. marking wontfix.
Protects NO ONE like it is now............... and what about "non-novice" users... shouldn't there be a way to turn it off for them!!

Losers, have you configure d dns off moe x yet, or taken down BTC €

On Sat, Apr 20, 2019, 3:12 PM cloaked.ninja notifications@github.com
wrote:

The excellent bypasspaywalls by Adam extension
https://github.com/iamadamdev/bypass-paywalls-chrome (which has been
removed from the Chrome store) is an addon that many people love. The only
way to add this extension due to Google's censorship is to side load it.
Why are we making it harder for people to take control of their own
browsers? I don't want to restate the other arguments, but there are
examples of censored or politically incorrect extensions that are not
harmful but removed due to Goolag's draconian policies. We should be
encouraging more freedom, not less; don't make it harder for the user to
use the extensions they want.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/brave/brave-browser/issues/1432#issuecomment-485152620,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AKY36BMFF6PSLU4GZFY6D7TPRNTJXANCNFSM4FZEYB4Q
.

Thanks for the feedback
I put up a new issue here to cover the concerns: https://github.com/brave/brave-browser/issues/4349