Off The Main Thread Podcast

Chrome’s secretly installed extensions

Luca found a hidden Chrome extension that is installed by default in Chrome and most Chromium derivatives. Surma and Jake dig into what this extensions does and how reasonable it is to get angry about it.

Resources:

Transcript
  1. Surma:All right, Jake, we're probably slightly behind schedule this month, but, you know,
  2. Surma:we're traveling, it happens, we... but I think it's... yeah, true! And also, I feel like
  3. Jake:Yeah, it's been a busy old summer. Oh, yeah, it's more than once a year, so that's,
  4. Surma:compared to our, you know, schedule commitment we had on HTTP203, it's still an improvement!
  5. Jake:yeah, we're doing very, very well. We should say, I mean, how kind of proper are we supposed to do this? Like, because, I mean, who are you? What's going on?
  6. Surma:Oh, who am I? What's going on? I'm Surma. This is a podcast. And this... Oh! I didn't
  7. Jake:And I am Jake. Yeah, like, I was trying to do an intro. Look, so the state of react came out, right? And what's there in the podcast section?
  8. Surma:realize... OK. Right. Yeah, I mean, you say that, but HTTP203 was pretty sloppy. Obviously,
  9. Jake:HTTP 203. Not OTMT. And I'm just, I just don't think we're ever going to, you know, beat our previous selves if we are this sloppy, if we're just, like...
  10. Surma:we had professional editors. I mean, we still have a professional editor, but we're doing
  11. Jake:Yeah.
  12. Surma:more of the work ourselves. And for some reason, it has brought us to... I think the
  13. Surma:reason OTMT is not on the state of React is because that survey came out before we even
  14. Jake:Okay, we'll keep telling ourselves that, and we'll see what happens. But that's fine. That's fine by me. So who's a half listener? Because it's me, you, Lucas, our editor, and there's just someone overhearing Lucas in another room? Is that it?
  15. Surma:started with OTMT. Yeah. If we're still not on there by next year, then I guess we'll
  16. Surma:just keep talking to our three and a half listeners. Yeah.
  17. Surma:Yeah, I feel like it was mostly Lucas, because he's not listening to the words we're saying.
  18. Jake:Oh, that's fine. Yeah, that makes sense.
  19. Surma:He's just waiting for someone to bang on the table and just cut that noise out, isn't he?
  20. Surma:And doing, you know, and making a sound actually coherent, which honestly, sometimes he does
  21. Surma:do that. Yeah, a lot of hard work. Ooh. Oh, I thought you were going to say, oh, I didn't
  22. Jake:A lot of work, a lot of work.
  23. Jake:So I went to Silverstone recently for the Grand Prix, which I tend to do every couple of years. And it reminded me of something which happened last time I was there.
  24. Jake:So, so last time I was, I went to the track on a Thursday. Now, there isn't motorsport as such on a Thursday. But what they do have is the Sky TV folks do their live show.
  25. Jake:Well, interesting, you should say that. Well, so their show is just like they bring the drivers out, they do interviews, that kind of thing. But it's on the start finish straight. And if you want to get decent seats, you got to turn up like fairly, fairly early. So we did. And we were there like an hour, an hour and a half before anything was going to happen. And we weren't alone. Like there was a lot of people in the stand just kind of sitting waiting.
  26. Surma:say like they do power walking tournaments or something. Oh.
  27. Jake:So people were entertaining themselves. And one thing they were doing is like, so there is stuff happening on the track. Like, there are people who are running it, there are road sweepers, there are people who are cycling it. Well, yeah, so the engineers do it just for exercise, right? Because they're flying around the world from track to track. And it's, it's something they do for, for exercise. But it is also what people they do it to see if there's any new bumps on the track as well. There are scouts that feedback to the drivers.
  28. Jake:So whenever someone came around the final corner on their sweeper or their bike or whatever, the crowd would start going, oh, as they got closer and closer to the start finish straight. And as they cross the finish line, the crowd would go way. And, and it was at this point, you know, the person cycling or the person in the sweeper would have to acknowledge the crowd in some way and wave.
  29. Jake:And if they didn't, the whole crowd would boo really, really loudly. That was it. They would turn on you instantly. So we were doing this for like, you know, 45 minutes or whatever.
  30. Surma:Yeah.
  31. Surma:Yeah.
  32. Surma:Yeah.
  33. Surma:Yeah.
  34. Surma:
  35. Jake:And then around the final corner came a child or a young, young kid in an electric wheelchair. And you could see that the whole crowd was thrown into a kind of quandary. Like, what was, what's the etiquette here? Like, we've got a system, you know, we've got a thing we do here. But is it, is it appropriate? What, what, what do we do?
  36. Surma:Yeah, of course you cheer them on. Yes, he did.
  37. Jake:Well, that's it. Someone started, oh, and the rest of the crowd started building up. Oh, and this kid crossed the start finish line. And he like, pumped his fist in the air. And the whole stadium went crazy. Like it, I think, I think there was more cheering than there was at any point during the actual Grand Prix. People were on their feet, cheering. It was, it was like, it was a lovely thing to be part of.
  38. Surma:That's amazing.
  39. Jake:But there was a guy on the track, kind of around the start finish line. And he, he sort of walked around just to the final corner. And he, he put his phone on a selfie stick, extended it. And then he clearly sort of started recording and he was, you know, talking into, into his phone and he was sort of gesturing at the audience. And then he set off running towards the finish line with his selfie stick in a hand sort of pointing sort of, you know, between him and the crowd.
  40. Surma:Nothing. I would also have done that. Doing it for the gram. You're not getting anything.
  41. Jake:And, you know, so the crowds would be behind him. And he walked and he, well, he ran, he ran, he ran fast to the finish line. And the crowd gave him nothing. Not even a boo. Absolutely. He crossed that finish line to almost deadly silence. It made me proud to be British.
  42. Surma:So petty, but effective. I love it. Yeah, because even like a boo would have been, you
  43. Jake:Absolutely. I don't get patriotic very often, but that was one of those moments.
  44. Surma:know, content, but that the fact that there's like the instant hive mind of doing the correct
  45. Surma:thing, that he basically just now has footage of him running across a finish line by himself
  46. Surma:and visually or like on the video, nobody cares. That's absolutely brilliant.
  47. Jake:Do we know what the episode is titled? Or does that come later?
  48. Surma:Let's talk about the web, because I feel like in the last month spent some, you know, spicy
  49. Surma:things. I guess at this point people already know what the episode is titled.
  50. Surma:Yeah.
  51. Jake:Oh, that is good. I like it.
  52. Surma:My current pick is Chrome's secretly installed extensions. There's a bit of spice in that.
  53. Surma:So this whole thing got started by a tweet that Luca did. And Luca is an engineer at
  54. Jake:Yes.
  55. Surma:Dino. Lovely guy, really talented, does, you know, loads of engineering in the Dino front
  56. Surma:end. Dino back end is also on TC39 and on the Winter CG and just like, I honestly don't
  57. Surma:know how he juggles it all. And I suppose in his work, while, you know, spelunking the
  58. Surma:Chromium code base, because he works a lot with V8, but also with Chromium, I suppose
  59. Jake:It's not sounding good, but what does it do?
  60. Surma:over a piece of source code in the Chromium source space, which is a Google meet extension,
  61. Surma:like literally same as if it was a normal Chrome extension you install from the Chrome
  62. Surma:extension store or whatever that's called. But it's installed by default and it doesn't
  63. Surma:shop in the extension list and you can't disable it. Right. And he was also saying, you know,
  64. Surma:it's also in Brave and it's an arc and it's an edge and it's likely in all other Chromium
  65. Jake:Oh, interesting. Because, because we should say that Chrome and Chromium are technically different things. Like you've got the, like Chromium is the open source project that Brave, Opera, Arc, like feed off.
  66. Surma:derivatives as well. So I was also like.
  67. Surma:Exactly.
  68. Jake:And then you've got Chrome, which is kind of the closed source version, which has some extra bits. I think that's where some of the like video codec stuff goes into. That's, that's like less open source. It's where I think some of the DRM stuff, which we all love goes in. But so, but this, which kind of feels like it sits on more that sort of side of things, but no, this is in Chromium.
  69. Surma:Yeah. So that's where I immediately and look at the set this as well, like he had a fairly
  70. Surma:long thread where he said, I don't think this is actually malicious or harmful. It's just
  71. Jake:Hmm.
  72. Surma:an hour dive into the whole dissection of what it is and is it good? Is it bad? Is it
  73. Surma:not? But my immediate thought was as well, he linked to the Chromium source code with
  74. Surma:a link and and it was in Chromium. So therefore, it's not really a secret. It's out there.
  75. Surma:All of the other people who build on top of Chromium would have to know about it or just
  76. Surma:have missed it. If it was malicious, it would have been a lot smarter by Google to put it
  77. Surma:into Chrome, which is the closed source thing to get added to Chromium, which I think also
  78. Jake:But the important thing you said there is that it's not malicious. So nothing to see here. Happy next time. Bye bye.
  79. Surma:has stuff like the whole logging into your Google account and syncing your tabs, which
  80. Surma:I'm assuming that code can't necessarily be fully open. But also, like you said, the
  81. Surma:DRM stuff for Netflix to play video so you can take screenshots and stuff to maintain
  82. Surma:that whole chain of trust.
  83. Surma:Yeah.
  84. Surma:Well, that was my hunch, but I did want to check and I think so did many others, because
  85. Jake:Except hidden. It's so normal. They've decided to hide it.
  86. Surma:obviously that tweet got attention and loads of people were saying like, yeah, you should
  87. Surma:have been using Brave all along. And he was like, yep, it's in Brave as well. Go try it
  88. Surma:out. Right. So what does it do? Let's actually look at that. Like I said, it's a completely
  89. Surma:in that sense, normal Chrome extension.
  90. Surma:Yeah, I mean, in the terms of the code that it's like the language is written, it's just
  91. Surma:JavaScript, same. It could be just as well a public Chrome extension. There's no special
  92. Jake:Okay. Okay.
  93. Surma:abilities granted to that extension apart from being installed by default. So this Chrome
  94. Surma:extension, as any Chrome extension, filters the domains in which it is active. And this
  95. Surma:one is filtered to all Google subdomains.
  96. Jake:Oh, so it's not just meat.
  97. Surma:No. So that's already, I think, where, you know, that net raises eyebrows. It basically
  98. Surma:I think the filter is quite literally star.google.com.
  99. Jake:I mean, my eyebrows were already raised. They're, they're kind of off my head entirely. At this point, they're kind of, they're up on the ceiling. It's, it's slightly terrifying there.
  100. Surma:It's a great look. And from skimming the code, what it seems to do is it adds additional
  101. Surma:APIs to the global in which that extension is active, which allows that tab to know about
  102. Surma:the computer's CPU usage, this specific tabs, CPU usage, the GPU usage and the JavaScript
  103. Surma:memory consumption. And that's pretty much it. There's also some logging happening, which
  104. Jake:Yeah.
  105. Surma:I don't understand why this need to be in the extension. I think it was just convenience
  106. Surma:for them. But in the end, you know, logging like somebody opened this URL, you can just
  107. Surma:do with the beaten API or something. I don't know why that is indirect, because, you know,
  108. Surma:it's not in any way special from what Lucas said and showed is that this extension is
  109. Surma:used by Google meet and Google meet is also in the title of the extensions name exclusively
  110. Jake:So what was it? You said it was CPU.
  111. Surma:question mark in the troubleshooting panel. So if you go to like a three dot menu and
  112. Surma:there's like a troubleshooting menu point, that dialogue is supposed to help you figure
  113. Surma:out why your meeting is maybe not working as expected or why you're having issues and
  114. Surma:to be able to give better advice of what is going wrong or what you should try. They
  115. Surma:want to have access to these data points which are not available as a normal Web API.
  116. Jake:CPU states. Did you say memory state as well?
  117. Surma:Well, yes, CPU usage also like globally, but also specific to the tab, GPU usage and
  118. Surma:JavaScript memory consumption. So, you know, they can do stuff like, hey, it looks like
  119. Jake:Okay.
  120. Surma:your GPU is pretty bogged down. Maybe you can close one of the three games you're currently
  121. Surma:running or something like I wouldn't know what you have running off because that is
  122. Surma:not exposed. But I think that's kind of like the kind of data they want. And they even
  123. Surma:draw a CPU graph, I guess, to show your CPU is bogged down. So if you open this in Safari,
  124. Surma:that part of the dialogue just has is blank and says, hey, use Chrome if you want more
  125. Jake:Right. And so we can say like, oh, it seems like the intent with these APIs is good. And it's not like doing anything totally crazy. But this represents the Chrome has given itself an advantage by bypassing web standards.
  126. Surma:help.
  127. Surma:Exactly. So I think I fully agree with the assessment. It seems to me that this extension
  128. Surma:doesn't do anything evil. And it probably was born out of the need and desire to help
  129. Jake:Oh, it sure is. Yeah.
  130. Surma:users to make me work. Some people were saying like this data that they're exposing could
  131. Surma:be an additional fingerprinting vector. But at the same time, and look, I said this as
  132. Surma:well. It's like, well, you're already locked into Google when you use meat. I think we
  133. Surma:are beyond fingerprinting in this context. And this extension is scoped. Some other people
  134. Jake:Presumably all of these, like the GPU monitoring, CPU monitoring is, is just is, is available to other extensions as well. So yeah. Okay. So rather than messing around with DNS, your easier thing you could do is just write an extension.
  135. Surma:also weren't like, hey, cool, I can abuse this by just like you having a custom DNS
  136. Surma:setup. And if I put myself on a Google subdomain, I get access to this.
  137. Surma:Yeah, yeah. Well, even then, the extension is scoped to HTTPS. So you would also have
  138. Surma:to have a custom certificate installed. And once you install custom certificates, I think
  139. Jake:Okay.
  140. Surma:you have bigger security problems going anyway, because yeah, then other things can be stolen
  141. Surma:as well. So I feel like in that sense, they did it the best way possible. And yeah, there's
  142. Surma:like in terms of like, it's not a secret. In fact, there's a thread on Blink Dev where
  143. Surma:contributors from Edge and I think even other browsers are talking about this extension
  144. Surma:in the code base and whether it should be revisited at some point. So yeah, it's not
  145. Surma:a secret. It seems harmless. It seems like the additional APIs that are being exposed
  146. Jake:Well, so recently, Apple Maps has been released for the web. And if you try to go to that site on Chrome, or Firefox, you get a blanket no.
  147. Surma:cannot be really exploited or could be used by other parties that are not supposed to
  148. Surma:have access. But like you said, does that make it okay? And I feel like the answer is
  149. Surma:still kind of no.
  150. Jake:It's like, especially if you're, if you're on Mac. Yeah, like, it's, it's very much like you should use Safari. And it's an artificial limiting thing. Because I think if you're on Windows, you can use Chrome, something like that is, is just like, you know, we're Apple, you should use Safari if you can.
  151. Surma:Oh, really?
  152. Surma:Now, if you're on Apple, use Safari. If you're somewhere else, I guess we'll let you through.
  153. Jake:Yeah, and I don't like that. I think that's bad for the openness of the web. So what we're seeing Chrome do here is, at least as bad as that. I mean, so meet now does work in Firefox does work in Safari, there was times when that wasn't true. But they are creating a better experience in Chrome through a hidden extension. And you would think if it if it was, if it was something they were proud of, it would be great.
  154. Surma:And I keep thinking about that as well. So like someone dug up the original PR when this
  155. Jake:It wouldn't be a hidden extension, would it?
  156. Surma:was added. And at the time, this is apparently in 2013, it was scoped to Hangouts. Like even
  157. Surma:on the URL, I think it was scoped to google.com slash Hangouts. It was Hangouts only. No other
  158. Surma:Google product could use these APIs. In fact, currently it is, as I said, like available
  159. Surma:to all Google subdomains. I do not know if any other Google product uses the abilities
  160. Surma:of this extension, but I also understand why they increased the scope. Like why is it available
  161. Jake:I mean, the whole thing is iffy. But yes, that in particular, it is Chrome giving itself an advantage. Like, of course, Safari could add the same hidden extension. And they could add the same non standard API's to Google meet and in order to create the same extension. But that is very, very similar to what was happening in the old IE days where Microsoft would just add whatever API you wanted to add to Chrome.
  162. Surma:to all Google products when it's specific? That's just something I find a bit iffy. It seems
  163. Surma:unnecessary.
  164. Surma:Yeah.
  165. Jake:And it was down to the other browsers to reverse engineer it is it's not I mean, okay, it's this is limited to a set of domains. But in some ways, that's, that's worse on a on another axis, right? So we're saying it's bad, because Hangouts on Chrome can have this better experience and then Hangouts on Safari through artificial means. But you're you can also say, well, well, hang on now.
  166. Surma:Yes.
  167. Jake:Zoom is having a worse experience than Hangouts through this. And like if they wanted to have that similar experience, yes, they could create an extension, but they would have to get you to install that extension. They don't have the benefit of it being you're installed on the slide by default. Yeah, that it's I mean, I guess I will say the word anti competitive as not a lawyer. But yeah.
  168. Surma:No, that's exactly what other people have been saying as well. It was in like, at least
  169. Surma:with our EU hat on, this could probably be quite, you know, realistically framed as anti-competitive
  170. Jake:Yeah.
  171. Surma:because exactly that example was brought up as well, where zoom now potentially has less
  172. Surma:abilities or a worse experience than what Google meet offers in Chrome. And it's mostly
  173. Jake:Hmm.
  174. Surma:about the fact that it's installed by default, enabled by default and hidden and can't be
  175. Surma:disabled. And what I think really weird because it's clearly not critical for operation, this
  176. Surma:extension, because it works, you know, Hangouts or meet works just fine in Firefox and Safari
  177. Surma:as is. I haven't tested that. I assume that would push you towards the app. Maybe. Yes.
  178. Jake:Does it work on Android Chrome? Because we don't there's no extensions on Android Chrome.
  179. Jake:Yeah, oh, they definitely do.
  180. Surma:I was like, if I just use Hangouts and I went to the troubleshooting dialogue and then I
  181. Surma:went, Hey, if you install this extension, we can help you troubleshoot better. Legit.
  182. Surma:That seems completely fine to me. Like that's an opt in. And that is basically even playing
  183. Surma:field because any other provider could also write such an extension.
  184. Jake:Yes, a lot of these API's actually went through the standards process, because at the time Firefox OS wanted them.
  185. Jake:Yeah, so they just wanted everything that you could do on native really at the time, but these API's were rejected because of well eventually like Firefox didn't want them because of Firefox OS kind of going away.
  186. Surma:Ah, Firefox OS. Yes.
  187. Jake:But the problem was fingerprinting. And as you say, it's not so bad in this case, if you are logged in. But I mean, from what I understand, like, if this is available to all Google sites, then you know, these things can be accessed when you're not logged in.
  188. Jake:And certainly the web standards version could be it doesn't have the concept of logged in at all.
  189. Surma:Yeah.
  190. Jake:So yeah, I mean, there are good reasons why these API's were not taken forward.
  191. Jake:So kind of just adding them again on the slide is a bit not great.
  192. Surma:So I wonder why this extension is around installed by default. And so I dug a bit deeper,
  193. Surma:especially because people were, you know, tagging in all the other Chromium directors
  194. Surma:like Brave and Vivaldi and asking, is this true? And they were like, yes, it's true.
  195. Surma:And at that time that extension was necessary for Hangouts to work. So I think at the time
  196. Surma:just the web platform hadn't evolved enough to make something like Hangouts work. That
  197. Jake:That was the reason why for a long time, it didn't work in in Firefox and Safari, there was like a particular web RTC, something, something, something, like even when there was some support in other browsers, there was a couple of methods that Google claimed were essential for this and could justify
  198. Surma:was before it was renamed to meet across browsers, just based on web APIs. You know, I think
  199. Surma:WebRTC probably wasn't quite there and some other APIs maybe too.
  200. Surma:Yeah.
  201. Jake:not allowing Safari and Firefox access on those but they were fixed. Yeah, that has changed.
  202. Surma:So for example, Vivaldi weighed in on this thread. I don't know who from Vivaldi, but
  203. Surma:they have their browser account on X. And they replied with, yeah, yeah, we know about
  204. Surma:this and we expose it in the settings. So it is enabled by default, but they very much
  205. Surma:make it a setting where you can go like, no, I don't want this extension to be enabled
  206. Surma:by default.
  207. Surma:Brenton Eich weighed in from the perspective of Brave and he said, you know, it used to
  208. Jake:Which is interesting, because as you said, the logging bits feel like well, you know, logging isn't exactly a new capability on the web.
  209. Surma:be enabled by default, but they used a patched version. So they disabled the logging parts
  210. Surma:but still left the other APIs in there to give a consistent experience from Chrome to
  211. Surma:Brave.
  212. Surma:No, but it was really interesting that he then later linked to PR and that was probably,
  213. Surma:I assume, spawned by the thread that Lukas started, that they have it now fully disabled
  214. Surma:because, and they have a comment in their commit history, that they actively knew about
  215. Surma:and kept this extension because when this whole thing started, you needed it for Meet
  216. Surma:to work. And they obviously wanted people to be able to stay in Brave and attend a Meet
  217. Surma:without having to switch back to Chrome. So they left it enabled. But as I said, you know,
  218. Surma:it works cross-browser now. All the mission-critical things that Meet needs are on the web platform
  219. Jake:But even what you said there is like highlights what's wrong with doing this is like, you know, another browser has has to adopt these Google designed API's exposed to Google sites, because if they don't, then, you know, Hangouts meet doesn't work. It's
  220. Surma:and are supported cross...
  221. Surma:Yeah.
  222. Surma:Well, that's what I was just saying. I think now they have realized that that statement
  223. Surma:isn't true anymore. You can disable this extension and Meet will continue to work because it
  224. Surma:works in Safari now, for example, as well without any extensions. So it feels to me
  225. Jake:It's
  226. Surma:that this, again, the very original extension for Hangouts was born to make this product
  227. Surma:a thing, virtual meetings, platform evolved, less and less capabilities need to be like
  228. Surma:crowbarred into the browser via extension and could just be built on top of the web platform.
  229. Surma:And this extension just kind of continued to exist and was slightly adapted and evolved.
  230. Surma:And technically it's not needed anymore, but people kind of forgot about it, seems to be
  231. Surma:my takeaway, because just now Brave was like, oh, we can actually disable this because Meet
  232. Jake:Hmm.
  233. Surma:continues to work. The only thing that won't work is the troubleshooting dialog where you
  234. Surma:get a CPU graph. And I don't know, like I'm okay with that by default. They could probably
  235. Surma:inject like a little, hey, if you want the graph, we can enable the extension for you
  236. Surma:or something. So it seems overall an artifact of history and probably harmless. But I also
  237. Surma:think stuff like this still burns user trust.
  238. Jake:Oh, absolutely. Has Chrome said anything about this? Has Google said anything about this? Okay.
  239. Surma:No, as far as I know, there has been no official statement. I assume that they revised history
  240. Surma:probably more thoroughly than I have and came to the conclusion, this is all harmless
  241. Surma:and not worth giving attention to, which I'm not sure I agree with. I guess the majority
  242. Surma:of public users didn't even notice this in terms of waves within the web development
  243. Surma:community. I thought it was quite big. I think it was one of those tweets from Luca which
  244. Jake:Hmm.
  245. Surma:went to like a thousand likes and above. So definitely got eyes on it. But, you know,
  246. Surma:people love a good outcry and outrage, but I think nothing major has come of it. But
  247. Surma:I think it's just one of those things, a bit of carelessness and a bit of like questionable
  248. Surma:decision making that just now look really dodgy.
  249. Jake:I agree. So I wonder if Google had the same journey here that they they had the extension for you to make Hangouts meet work at all. You know, again, I question the ethics of that decision. But when the that, like strong requirement went away, maybe no one asked the question, should this be around anymore? It's like, well, people aren't or if they did ask, it's like, well, people aren't complaining about it. So why not have this slightly better user experience through this slightly shady method?
  250. Surma:The questions were definitely asked on BlinkDev. So there was someone asking, hey, do we still
  251. Jake:Hmm.
  252. Surma:need this? I had a quick skim of this code. It looks like it just does some, you know,
  253. Surma:GPU, CPU stuff and some logging. And they're like, yeah, we could probably rework this.
  254. Surma:I don't think we can land these APIs. But there were definitely people bringing up the
  255. Surma:questions and Chromies were replying. So there was a prompt for them to maybe go, maybe
  256. Surma:revisit this. But they didn't. And, you know, that's again, not to paint a picture of them
  257. Jake:Hmm.
  258. Surma:actively turning a blind eye to leave the evil extension running, but more like people
  259. Surma:are busy and have better things to do. But also...
  260. Jake:I mean, that is kind of the definition of turning a blind eye. So but yeah, I don't know. I think I'm angrier about this than you are. I don't like this. I think Chrome should remove it, especially now, if it's just a tiny little, if I was working at Google still, this would make me really angry. Because like you say, it is so much trust burned for so little. I mean, well, like you say, it maybe hasn't sort of taken off in dev communities.
  261. Surma:I agree.
  262. Surma:Yeah.
  263. Jake:So maybe they haven't burned a lot of trust. But I feel I would feel like it's just, it's something there that anyone who doesn't like Chrome or other browser vendors would just be able to, you know, if I'm in a standards group, and I try and say to someone, hey, you know, I, you can't just ship that without standards effort. All they'll have to say is like, well, you, you know, you install this stuff in the background all the time. I mean, so what, you know, you don't care about this stuff.
  264. Surma:And Chrome gains so little from this extension at this point.
  265. Jake:And that's it. It's not for anything anymore. I mean, such a small thing now. It's not worth it is not worth burning the trust over it.
  266. Surma:So I'm going to link to all of this in the description. Curious if, you know, if people
  267. Surma:want to take a look and form their own opinion on the original PR, the DevLink discussion,
  268. Surma:Lucas whole thread, the commit, Brendan Ice stuff. I'd be curious to hear from our three
  269. Surma:and a half listeners what they think and if how angry are they? Because I'm not like angry,
  270. Jake:I am angry about it. And again, I just have to keep asking myself, like, how would I feel if it was Apple doing this? You know, who I've kind of got, I guess, historical knowledge of.
  271. Surma:but also I've become increasingly indifferent because it sounds harsh, but like, this is
  272. Surma:not the first time we have discovered something weird about how Chrome operates. And it almost
  273. Surma:feels a bit pal for the cause at this point.
  274. Surma:Yeah.
  275. Jake:historical beef with in terms of, you know, their attitude towards the web. And yeah, I'd be really angry about it. And I am I, I think they could, it would be a nice step for them just to remove that extension and maybe do a bit of like a postmortem blog post on it.
  276. Surma:Yeah.
  277. Surma:Yeah.
  278. Surma:Maybe it's like, what is the process for solving a product at the time, but also making sure
  279. Jake:You know, because I think there is a reasonable ish story that you could tell behind it. And certainly a nice thing to kind of end and say, look, maybe we should have removed this sooner, but we have removed it now.
  280. Jake:Hmm.
  281. Surma:you don't forget about it and put in the effort to remove it once that need has evaporated?
  282. Surma:Because I wonder, you know, it also makes you think how much more is there in Chromium
  283. Surma:or Chrome, especially in Chrome where we can't see it, but even in Chromium, because we worked
  284. Surma:at Google for a good number of years and know how to read lots of code, but I still am not
  285. Surma:someone to easily navigate the Chromium code base and figure out where would you hide this
  286. Jake:Yeah, well, that speaks to the burn trust thing is there's a lot of folks who, you know, get a little bit towards conspiracy theory stuff with Google and the web.
  287. Surma:stuff or say, hi, where would you place this?
  288. Surma:Where could I find all these other, if there are others, default installed, hidden, uninstallable
  289. Surma:extensions that maybe do other things?
  290. Jake:But yeah, I think it's very reasonable and very easy to say, like, well, if they're doing this in plain sight, what else are they doing? Because it's, yeah, it's a big smoking gun right there. Oh, well. Well, do you know what's great? We don't have to deal with this anymore. From in terms of like, you know, trying to fix it.
  291. Surma:Yeah, exactly.
  292. Surma:We don't have to defend it or apologize for it or try to push both sides.
  293. Jake:No.
  294. Surma:Yeah, no, that's what I was thinking as well.
  295. Surma:Sometimes it's nice to just be able to lean back and eat the popcorn, which is kind of
  296. Surma:what I did while scrolling that tweet.
  297. Surma:It's very refreshing, but I figure that is probably enough dystopian bleakness.
  298. Jake:Until next time.
  299. Surma:Until next time, where we, where OTMT comes back with more dystopian bleakness and tangents.
  300. Surma:That's a good tagline.
  301. Surma:Ooh, I like that.
  302. Jake:This is a tight 30 minutes as well. Nice.
  303. Surma:Look at us go.
  304. Surma:Well, I guess at this point there's the usual left to say.
  305. Surma:Happy next time!
  306. Jake:Happy next time. Bye.
  1. Chrome's new LLM AI API OMG

    Chrome's new LLM AI API OMG

  2. Chrome’s secretly installed extensions

    Chrome’s secretly installed extensions

  3. Are web components worth it?

    Are web components worth it?

  4. Why Source Maps don’t always work

    Why Source Maps don’t always work

  5. Putting React In The Browser

    Putting React In The Browser

  6. Canvas-based Web Apps

    Canvas-based Web Apps

  7. The Apple PWA Ban

    The Apple PWA Ban

  8. TC39 Roundup and Bevy’s ECS

    TC39 Roundup and Bevy’s ECS

  9. The Big Build Bool Bonanaza II

    The Big Build Bool Bonanaza II

  10. WebGPU and Browser Ideologies

    WebGPU and Browser Ideologies

  11. From the Archive — Changing jobs, Deno, and optimizing animations

    From the Archive — Changing jobs, Deno, and optimizing animations