Install GNOME extensions through website: security vulnerability?
I found a GNOME extension through a Google search (using Chromium), and was very surprised that I could simply toggle the On/Off switch to have the website install a full GNOME extension on my computer without any other manual steps involved. (tested, this works with Firefox as well.) Granted, it does pop up a dialog box asking me to confirm installation, but ...
While this is great for ease of use and usability, aren't there security vulnerabilities with this? I would be interested in knowing how exactly this feature works, and whether I should be concerned about any "backdoors" that this might allow for hackers to easily install executables on my machine.
Are the extensions on the GNOME site vetted? Is there a way to tell whether extensions are safe or not?
Are the Chromium and Firefox browsers modified by GNOME in order to allow for this feature? Are there any other custom GNOME Chromium/Firefox changes that users should know about?
UPDATE: Having understood how this works, I now believe this is a really great feature especially for non-technical users, but it did alarm me a little when I first encountered it.
Solution 1:
Yes, and no.
First the link you clicked on to install an extension was coded in, specifically (I think) to gnome 3.2 as a method for instillation. So in that sense it is a "trusted" site.
Second, gnome extensions are user scripts, stored only for your user. They don't have access to any information that the user does not have access to. So for example there can't be a shell extensions to write files to /.
Third, Browsers were not modified, but gnome shell was.
Basically the install method is no less safe then providing you a tar.gz file and telling you to manually extract it in your home directory. Rather or not the individual extensions are safe is a decision you need to make on a case by case basis. However gnome.org is a legit site, as is the extensions sub domain.