My wife and I have a family account. I absolutely love it and have used it for a while. I’m a programmer and use it more for that kind of thing. She, however, does the purchasing and shopping and product hunting for our house. She keeps trying to use it but ends up with Google tabs open anyway. As as much as I’m a big Kagi fan, YMMV depending on your usage patterns.

I enjoy my Kagi usage but there are still a few things I use the !g or !gm bangs for.

Shopping and finding locations is definitely one.

Yes, I am also hopelessly tied to Google Maps. Which I think is relatively distinct from web search, IMO.

What are you missing from a decent OpenStreetMap frontend like OsmAnd+? Only business metadata or something else too?

Businesses and reviews mostly. Not navigation.

I participated actively in the Google Local Guides. I depend on the content from there to discover stuff geographically. But I’m also aware reviews and interactions and even images that look human can’t really be counted on anymore.

Are these… real names? I can no longer tell if this is satire.

That is the point ;)

There is an excellent children’s book about their story. It’s hard to read to my kids without getting teary, tbh.

https://www.petermercurio.com/our-subway-baby/

The issue here is that Canada belongs to all Canadians. A portion of voters in one province can’t just vote to help themselves to the territory of Canada.

I have most often used it to be every amiibo that exists.

I worked at Shopify at the time this became legal and several provinces were launching on our platform. It was a monumental lift to get every single thing a transaction from these shops touches to only run on or through infrastructure on Canadian soil for this exact reason.

If you've written about this on a blog or elsewhere, I would be very interested in hearing more about this.

Can you say more here? Is this a payment gateway thing? I though if you used a visa/mastercard/etc that data is up for grabs by a foreign government, but if it's interac or some other payment method, does that ensure the data resides only in Canada?

Unfortunately it wasn't my project so I can't speak to it with detail or authority. I was just observing.

It was things like: Where do log statements go? Via what path? Are we sure none of those routers are in the US? Can we spin up new instances of EVERYTHING in a `-ca` region? Can we force traffic for this shop to only use those instances? What about vendors? Can we disable US-only vendors of whatever? What about backups? What things are centralized (which were good to identify)? Can we region those too? Can we disable/bypass them?

And do that for every bit and packet for a very complex system. I think that it launched with a considerable number of features just disabled. Privacy trumped everything.

My brother in size Small-Tall, tell me where you shop!

This is a good one: https://tallslimtees.com/

I also do some made to order from Son of a Tailor and Proper Cloth, but it’s expensive and laborious and slow and risky.

Dunno if it's the best brand in terms of bang for your buck, but I've bought a lot of shirts from "Have it Tall" on amazon and I have zero complaints about the fit. 6'4" and a pretty average build.

Then that becomes an ongoing effort. The rewrite is once. (Good idea or not)

It isn’t exactly. They created a list of known extensions by their id and a file which is known to exist in that extension. The site iterates over each pair and tries to load that file, if it doesn’t error it knows the extension is installed. It’s a clever and difficult manual process, but it does bypass the security trying to prevent this kind of thing.

I read that their reasoning is it exists to block users that use known scraper extensions which bypass their terms of use. But don’t entirely buy that.

So the follow up question, is why is a random website, allowed to try and load arbitrary files?

This is how I interpreted the original question and indeed it makes no sense, JavaScript from a website should not be allowed to interact with extensions like this.

It's actually the extension injecting itself into the webpage, often to interact with it. (I imagine much of this is just looking for global ExtensionName objects.)

Actually, the article is clear about what is happening technically, and it’s both. Chrome does, in fact, allow the page to make requests for resources stored in the extension bundle, and this is one of the two fingerprinting methods that the article describes.

>JavaScript from a website should not be allowed

Agreed 100%.

I agree, and this is why I built 404. If you poke around the page a bit, you'll see a tool that prevents browser fingerprinting.

404 catches JS calls in JS proxies and returns mocked-up values (assigned by a profile), it also has protections against TLS fingerprinting, canvas fingerprinting, device enumeration, TCP/IP fingerprinting, HTTP header fingerprinting, and more.

The predatory practices that browser fingerprinting have enabled guised behind "fraud protection" are atrocious. Even with a VPN, even in incognito mode, a website can track me and see what I've been doing EVEN IF ITS NOT ON THEIR SITE.

Then a data broker buys all this data and uses an AI model to put it all into a pretty little package and sell it to Google, or the gov't, or something. It's scary.

Because extensions can and often do contain stuff like images or JS bundles that they inject into a target page's DOM. Not allowing a tab's context to load files from the chrome-extension:// namespace would break a lot of things.

True, but you'd expect the same CORS rules to apply for extensions. Only pages originating from an extension are by default able to load resources from said extension.

Chrome exposes these files via a URL that you can fetch in javascript like you would any other file on a normal website. These local extension files usually contain code, styles or images that your browser needs to run the extensions.

Why is it not a CORS violation?

The browser needing access and a random website having access are quite different. Seems like a big ol' pile of vulns waiting to happen.

CORS is a server setting to tell the browser not to load its data from potentially unsafe origins. If you set a server to send access-control-allow-origin: *, then your browser will happily load these resources for you regardless of where you currently are. And chrome extensions need to be loadable from everywhere to be able to inject code or images into pages, so enabling CORS for them would defeat their main purpose. The extensions themselves might even need to bypass an existing CORS setup for the website you are currently on to fetch additional data.

From the other end, yes extensions access all page data, but pages shouldn't access extension data at all; it feels like that should be the CORS violation.

You have it backwards. For an extension to work on a page, it's data/code needs to be accessible from said page. If your extension server in chrome enforced CORS to prevent access from tabs on other websites, extensions wouldn't work anywhere.

Firefox at least randomizes extension IDs per install. Chrome hands all of that to extension devs, basically a "your problem now".

If that were the case, the list wouldn't have extensions that relate to a users religion, income, demographics, and more.

Does the same scan is happening on firefox? Random websites invoking extensions do seem to be a security hole to me.

This was posted before and it seems that Firefox randomizes the extension URLs.

This is partially why search is doomed. Sure LLMs are overtaking search, because search has been enshitified to the point you need an LLM to even get thr answer you’re looking for.

I keep thinking how often LLMs are used to “solve” problems we created.

“Meeting starts at 3” gets fed into an LLM to turn it into a 3 paragraph email, only to be summarized by a different LLM on the other email client end as “Meeting starts at 3”. What a waste.