A suggestion from #1432 is to remove notification from dev channel but keep warning in release/beta.

Not sure exactly what all this means..... but having that stupid developer warning keep popping up every fucking single damn time you launch the browser is fucking annoying as fucking hell.

I got it the first damn time... I am not a 3yo that needs to be told something every 3 fucking minutes.

I wasn't aware it pops up every time you launch the browser, I put a comment for that in the issue's first post.

A suggestion from #1432 is to remove notification from dev channel but keep warning in release/beta.

To be honest, this is not a good idea. This more or less 'forces' people to use a dev version (or put up with the nagging popups forever). I am a normal user of Brave, and as such I should be using the official version. Besides the fact that I keep things up to date with package managers, and using dev channel would cause extra maintenance effort.

Let me please stress this again, as I think security is the most important concern of all this:

Keeping the same popup showing up every time makes security WORSE, not better!

I totally understand the reasons for this popup. Really. But I have a self made developer extension, and Brave warns me every single time. Despite the fact that I am with absolute 100% certainty NOT at any risk. Extremely annoying. After doing this a 100 times or so, clicking it away becomes something automatic, you do it unconsciously.

Can you please reconsider this feature, but with two critical changes:

1. Only offer the option to not show the warning again for that specific version of that particular extension. Whenever a different extension is loaded, or if this one is changed (!) the warning should appear again.
2. Maybe make the "do not warn me again about this specific version of this particular extension" feature optional. So by default it's not there, but you can enable a setting to get it. To protect the user from doing this accidentally.

I think overall security would be served best by this approach. Better than how it's done now, which introduces the risk that people develop the habit of clicking away the warning automatically. Very dangerous, this is not what we want if we have security in mind.

Thank you for your consideration.

I only recently fully committed to using Brave as my primary browser after the Firefox certificate fiasco.

My decision to abandon Firefox (after using it since its inception), wasn’t so much for how avoidable that whole catastrophe was. It was the culture that revealed itself when I looked into the cause. Immediately upon switching to Brave, I messed around with sideloading extensions. When I saw the popup, I wasn’t bothered at all. Totally makes sense to warn a user when they make a change like that.

Then it happened again. The third time it happened I thought, certainly I can find the setting to turn this off. When I couldn’t, I’ll admit I was pretty disheartened.

It’s a simple thing, but having just experienced all of my extensions being disabled 'remotely' (without any official way for me to remove Firefox’s boot from my neck) it chipped away a bit of my confidence in Brave.

I have no doubt there are other Firefox refugees that are moving to Brave for this very same reason. And I know some of them got the same vibe when they saw that warning wag its finger at them with no option to disable it.

Love the Browser. You’re doing a great job. Keep it up and please – keep it open.

I wasn't aware it pops up every time you launch the browser, I put a comment for that in the issue's first post.

Yep,
EVERY SINGLE TIME......... supper annoying to have to deal with for an extension I don't foresee removing.

In short:

1. Don't just remove the warning.
2. Make it optional to remove the warning, but only for that specific version of that specific extension.
3. Make the option optional, i.e. don't show the "don't show this warning again" checkbox in the popup, unless it this feature is explicitly enabled somewhere in the settings. To make absolutely 100% sure nobody is missing any warnings by accident.

This seems the most sensible approach to me, and more importantly: the safest approach.
Safer than it is now.

Showing the warning once a week. Once a month... hell I'll even take once a day, that's really -really- annoying and makes me consider whether I want to continue using brave, but I can swallow it. Fact is I've already sideloaded an extension, whatever damage it can do, is already done. Warning me about it every time I open the browser is only driving me to either 1) change browsers to something else, or 2) Ignore the warning entirely, and click blindly through whatever warnings Brave wants to throw up there any time I log in, so if you have -any- other security-related warnings, they better all be a thousand times less important than this one, because this one is going to make me ignore the content of literally any warning Brave puts in front of me.

In order for me to be sideloading an extension, I need to have a capacity through my own ability, or someone close to me who can walk me through it, to use my browser at an elevated level. There is nothing that irritates me more than a program that treats me like a child. I know what I'm doing, I know the risks, and it's my computer, my browsing experience, I should be the one making decisions. Caveat Emptor. Let it be on my own head.

Keeping the same popup showing up every time makes security WORSE, not better!

Agree, this has been mentioned so many times, I hope they read the comments and understand our concerns. It's not just about the popup being annoying.

The popup is supposed to warn us about malicious extensions, but it becomes useless because users (who sideload their own extensions) just instinctively close it.

Anyone that is going to be doing this very likely has SOME BASIC knowledge of technology.
This isn't something your grandma and grandpa are going to be doing..... this warning is pretty pointless if you ask me.
I mean really..... think about who your target audience for this browser is................

Anyone that is going to be doing this very likely has SOME BASIC knowledge of technology.
This isn't something your grandma and grandpa are going to be doing..... this warning is pretty pointless if you ask me.
I mean really..... think about who your target audience for this browser is................

I mean... maybe you should consider the fact that you don't know their target audience... I'd characterize their target audience as a large market share of privacy conscious individuals, and to that end, a warning that you have deliberately chosen to configure your browser in an insecure fashion does make sense, however requiring an equally convoluted and complicated method of disabling or delaying the message would be able to accomplish the same goal without irritating people who write their own extensions that they don't -want- loaded publicly.

a warning that you have deliberately chosen to configure your browser in an insecure fashion does make sense

It is certainly not necessarily in an insecure fashion. For example, if you wrote the extension yourself and are just using it locally.

I believe what they're INTENDING to say here is that having developer mode enabled to allow the sideloaded extensions is inherently insecure. Not that the extensions themselves are. I'm not sure on that though.

I mean... maybe you should consider the fact that you don't know their target audience... I'd characterize their target audience as a large market share of privacy conscious individuals, and to that end, a warning that you have deliberately chosen to configure your browser in an insecure fashion does make sense,

Um.... yes that is their target audience. o.O
Privacy conscious individuals are the ones that KNOW what is being done with our information and the dangers it is leading too. So I would say they know the dangers of manually installing an extension.
(So again... don't need to be told even once a month... hell even once a year..... that they have a manually added extension.)

Hi,
I load an extension I do not intend to publish.

The first time I received this notification I thought it was considerate and I appreciated it.
20+ new sessions, and an equal number of prompts closed later I do not appreciate this notification and it is adversely affecting my user experience. Please add an option to not show again or to not show again for currently loaded extensions.

This outlined scenario is not a security concern. The user in the outlined scenario has either ignored the notification or understands and acknowledges the notification. There is no security or legitimate reason to repeatedly prompt the user with the same notification over and over ad infinitum.

@BriantGea You're conflating security conscious with technologically capable. Just because someone wants their data kept private, and knows that Brave is a browser that keeps that in mind, doesn't mean they know anything about extensions and the dangers they might present. Meaning that those with the technological background to be considered to have informed consent at the outset without a warning in the first place are actually just a small subset of those people who are their target audience. Average users within their target audience may have no idea how dangerous extensions can be.

That said. After a hundred warnings I'm pretty sure either we understand the risk and don't care, or we're ignoring the warning. Either way the warning is no longer serving a purpose.

@BriantGea You're conflating security conscious with technologically capable.

Just because someone can't make an extension doesn't mean they don't know the very basics of how they work.
And anyone that is security conscious knows that a lot of apps on your phone have code to harvest your personal data.... and an extension is similar. (Just instead of adding to an OS you are adding it to a browser)

But yes, as the "warning" is now... it only serves to drive people away from the platform.

Thank you for putting it in the roadmap rebron :)

Fix the issue or I will quit this browser and be forced to recommend against it.

The whole point of this browser is that I can do things like use unloaded extensions.

Do not turn your core users off by trying to tell your users "I know what's best you don't." That's what drove users to quit Chrome and Firefox to use Brave in the first place.

Your call Brave devs.

@epycurasWynter
If you scroll up, it's been added to the roadmap. The hostility is unwarranted.

@epycurasWynter
If you scroll up, it's been added to the roadmap. The hostility is unwarranted.

What does "it's been added to the roadmap" mean?

https://www.merriam-webster.com/dictionary/road%20map

https://www.merriam-webster.com/dictionary/road%20map

If all it means is some random user said it's on the Road Map rather than Brave's coders actually intending to fix the issue, my statement still stands.

rebron added design priority/P4 labels 4 days ago

^^ Two eyes. Two ears. One mouth. Look and listen before you speak. Rebron is on the development team, and added the design and priority4 tags half a week ago. IE: it's on the roadmap.
Oh and before you ask how you could have known that...
https://github.com/orgs/brave/people
That's how.

rebron added design priority/P4 labels 4 days ago

^^ Two eyes. Two ears. One mouth. Look and listen before you speak. Rebron is on the development team, and added the design and priority4 tags half a week ago. IE: it's on the roadmap.
Oh and before you ask how you could have known that...
https://github.com/orgs/brave/people
That's how.

Rebron isn't actually listed there but I found out Brian is, which means they at least know of the issue.

I'll give them 1 month. After that I will assume they gave up on it.

1 month? Cool. Don't let the door hit you on the way out.

It would be nice if it took less then a month to solve this...... but as long as it gets solved.

Just joined Github to post on this issue because it's so annoying.

I also want to point out that the Vivaldi browser has this warning disabled by default.
It's a browser that's also based on Chromium, and it's the final release, not the developer release. So normal users don't even see the warning out-of-the-box, and yet Vivaldi isn't having any security issues. Maybe because users who sideload extensions are typically not brain dead idiots or 5 year old children. So the whole security argument with Brave is **.

It makes perfect sense to show this warning _once_ after the first time you sideload something, but _every_ single time you open Brave? Ridiculous.

Here's four suggestions:

1. Have an option in Settings to disable it.
2. Have a checkbox within the warning pop-up that says something like "never show this warning again".
3. Only ever show the warning once.
4. Copy Vivaldi and never show it at all.

yeah I tried using vivaldi and it's user experience is dated, its security features are ... laughable. It's slow to load, and netted me a 2% performance increase over Google's stock chrome browser. Brave's security is much tighter, comes with a built-in ad blocker, still comes in between 20 and 40% performance increase over stock chrome WITHOUT adblock.

That's like saying cookies should copy gravy because both contain flour. it's a nonsensical argument.

I don't think that the disable should be quite as simple as a checkbox, as people frequently see those types of dialogues and just bypass them without reading them, if it never popped up again.

your suggestions otherwise show a decent rationale, except for the part where you keep bringing up vivaldi. If you like how vivaldi did it so much -go use vivaldi.-

your suggestions otherwise show a decent rationale, except for the part where you keep bringing up vivaldi. If you like how vivaldi did it so much -go use vivaldi.-

Don't know why you're acting defensive... Didn't know GitHub was like a console fanboy forum.

Vilvaldi was simply a good example to use as it's also Chromium based. The whole point i joined Github and posted here is because i want my preferred browser, Brave, to be less annoying.

Again I'll suggest... 2 eyes. 2 ears. 1 mouth. if you look up four days ago, before it was put on the roadmap, I was saying the same things you were. Now they are working on it. Fanboys don't hop back and forth between for and against, they're always for. When I was told they weren't fixing it, I was against them, now that they're fixing it, I'm defending them while they take the time to fix it. Because my philosophical stance is that there should be a way to turn it off, they are working on providing that method.

And all I did was counter the nonsense. If you want brave to be like vivaldi, then there's already vivaldi, go use vivaldi. Brave does things its own way, that's why you prefer it because of the way they do things. But now is the really hard part. They've decided they will fix it, and though it is not ideal right now, it will be, so your job is to wait and give them the time necessary to write and test a new security method to safely deal with the situation. Your job now is to wait and see.

That you interpret my temperance as mindless defensiveness says more of you than it does me.

Just joined Github to post on this issue because it's so annoying.

Me too.

+1 from @ireallydontwantthisaccount via https://github.com/brave/brave-browser/issues/4498

With Chromium, when you have an unpacked extension loaded, every time you open the browser it will warn you that it's "unsafe". This should be removed because it's extremely annoying, especially when you have no other choice (I use an extension to restore YouTube's classic look and Google took it off of the Chrome store).

MeeToo

Please put in an option to disable the warning after the first show-up.

A. people make their own extensions
B. Chrome bans extensions for dystopian ideological reasons

Brave is supposed to be different. You know: _open_, _free as in freedom_ and _for the people_.

+6 from reddit https://www.reddit.com/r/brave_browser/comments/br1dph/is_there_any_way_to_disable_these_warnings/

We have this issue on the board and prioritized. We have more than enough feedback (been very helpful) as a requested issue to address. We'd like to move forward with discussing implementation details with future comments as we need to start discussing UI/UE/text etc.

I recommend a simple "Do not show this notification again unless a new extension is added" option that is a clickable button that appears in the notification box. Then also have Advanced Settings checkboxes that say 1."Show a notification after an unloaded extension is added," 2."Show a notification after an unloaded extension is updated or added (Default)," 3."Show no notification when an unloaded extension is updated or added (Not recommended.)," and 4. "Always show a notification when an unloaded extension is loaded." This way if something gets added or updated by a malicious program then I can choose to know, or not know at my own educated risk.

I'm not so sure I think there should be an option in the dialog to turn it off. I think it should have something more along the lines of (Visit the security section in Brave Options to disable this notification), as it increases the number of steps a person has to go to to make ABSOLUTELY SURE they want to turn it off, AND coincidentally ALSO shows them exactly where to go to turn it back on or to disable all sideloaded extensions. Subtlely making sure they know where the controls are in case their wants/needs change.

I also liked the idea of a toast notification that shows up once, then goes away if it's not interacted with. Maybe with a "remind me again in _______" option on it. I've always liked opting in more than opting out.

A nice compromise that's still making best effort to have the user read the warning/details is to nest the option in a settings panel as ArakoKatoc suggested, and to have it prompt again if any other new extensions are sideloaded.

That seems to make the decision to ignore the warning deliberate enough that the user has clear responsibility for that decision and they are still prompted if another extension they didn't intend to load is loaded.

The main issue here is there's some very crazy censorship on the Play Store where they will allow Terrorists and Evil people, but ban alternatives to Main Stream Monopolies.

Dissenter, gab, and freethepress for example are quickly banned from almost every platform as soon as they create a extension, app, or plugin for anything, including the chrome webstore.

If you added a alternative to the chrome webstore for extensions we could have a system for signing our own and allowing developers to post uncensored comments.

As another thought - you could also leave a "Unsigned Extension" icon somewhere on the UI (like you do brave rewards and adblock) so that if one user goes and disables the notification other users would still be aware that it's there and know to pay attention to it, the behavior of left clicking the icon would take you to the Extensions pane, and perhaps (if possible) highlight sideloaded extensions, right click would bring up a context menu that has controls like "Disable all sideloaded extensions" "Disable new sideloaded Extensions" "Safety & Security Options" "Why am I showing this" and "help"

Everyone here, I would like to tell you all an important story you all should know, which ties into user KiloJuliet's sentiment of which I share.

An extension named Streamus about two or three years ago was shut down by Google Chrome, in one of the most shockingly unjust acts of censorship by Google toward an extension I have ever seen as a direct result of them abusing their monopoly status over videos -and cost the creator hundreds of thousands of dollars in wasted time.

Streamus was an extension that you could click on, and would show a menu that would extend out of the button. It would have loaded in that menu any YouTube playlist you wanted and any YouTube video you searched inside it. It would play YouTube playlists directly inside of the extension without ads, and would let you even see the video as it played. You could listen to the videos without the menu being open, and freely switch between tabs or shrink the browser while the playlists played.

But, because Google owns YouTube and did not want to lose profit on ads, and did not like people not going to their website, they shut down the extension even after the developer created updates specifically to address these concerns. Google even had the gall to say the creator was being treated too kindly by them by receiving more dialogue with them than anyone normally receives, before then shutting Streamus down.

The developer had quit their job just to make the extension Streamus, and you can find articles on this with a simple Google search on Streamus. That developer lost approximately 250k dollars they could have made from their job, and instead put that time into making code for the extension. They had built a thriving community on r/Streamus, and thousands of users spoke avidly about how great the extension was.

Brave, please learn from this lesson, because some day you and your coders will be a position to do the same evil Google did by blocking extensions and developers in the name of unnecessary profit from ads, or unnecessary extra traffic to a website you all might one day acquire or make.

So with all of that dramatic story-telling out of the way, I'll simply advise Brave NEVER block people from using an unloaded extension or require a digital signature. And further, Brave SHOULD get a free extensions store similar to the Chrome web store, but unlike the Chrome store, allows extensions such as Streamus regardless if such extensions may one day cut into Brave's profits ad-wise or traffic-wise. And one more thing -advertise that unlike the Chrome Store, the Brave Store isn't run by censor-happy greedy monopolists and will let you upload any legal extension you want. Brave would definitely live up to its name in doing something like that and would very easily develop a loyal cult following of users online by taking a pro-free speech anti-monopoly stance like that.

With Great Sincerity,
Epyc Wynn

We should stay on topic.

Thanks for the feedback all - I'm going to lock the topic. As @rebron said, we have this on the board and prioritized. Thanks for your patience! 😄

@KiloJuliet an alternative to the Chrome Web Store is possible - the URLs recognized by Chromium are in src/extensions/common/extension_urls.cc (variable is called kChromeWebstoreBaseURL).

I'd suggest making a new issue capturing your feedback in a way that can be actionable (Add support for more than one official store, etc) as this issue is for hiding the side loading notification. Thanks! 👍

This may need additional investigation. I am no longer getting this warning on Nightly.

interesting - I wonder if this was impacted by the field trial changes that were just merged?
cc: @jumde

Its related to ExtensionDeveloperModeWarning experiment being turned off, i'm not sure what the final decision about the change is, but it can be easily enabled/disabled. cc: @tomlowenthal @bsclifton

My preference is to continue displaying the warning as before in all CI builds except for a special actually-for-developers build (like Firefox has) in which it can be disabled. In the absence of a special developers build, I'm begrudgingly okay with allowing a preference to disable it in Nightly and in Dev.

Since this is currently disabled, because of the field trials... I'm going to close this issue

@tomlowenthal can you create a new issue for the behavior you think makes sense? 😄

New issue is #5063.

@bsclifton is there anything QA can do here? Sounds like this was disabled due to the field trials work. Would a simple test case of side loading an extension manually and making sure the modal popup doesn't appear be sufficient? If there's anything else that needs to be QA'd here, please let me know 👍

@kjozwiak that would be a great test - let me add the labels and some test steps

Great, thanks @bsclifton! Much appreciated!

@kjozwiak top posted edited 👍

Verification passed on

Brave | 0.68.128 Chromium: 76.0.3809.100 (Official Build) beta (64-bit)
-- | --
Revision | ed9d447d30203dc5069e540f05079e493fc1c132-refs/branch-heads/3809@{#990}
OS | Ubuntu 18.04 LTS

Verified steps from the description.

Verification passed on

Brave | 0.68.128 Chromium: 76.0.3809.100 (Official Build) beta (64-bit)
-- | --
Revision | ed9d447d30203dc5069e540f05079e493fc1c132-refs/branch-heads/3809@{#990}
OS | Windows 7 Service Pack 1 (Build 7601.24494)

Verified steps from the description.
Logged https://github.com/brave/brave-browser/issues/5653

Verified passed with

Brave | 0.68.130 Chromium: 76.0.3809.100 (Official Build) (64-bit)
-- | --
Revision | ed9d447d30203dc5069e540f05079e493fc1c132-refs/branch-heads/3809@{#990}
OS | Mac OS X

• Verified Test Plan from description.