To an extent... There's the new Manifest V3 proposal that locks things down a bit more. The major problem the author seems to have is, code on webpages can always be updated. This is particularly relevant in this day and age where JS single page apps have thousands of dependencies, and if any one of those are compromised, an attacker can exploit the supply chain and inject malicious code into browsers that reveal secrets.
He does point out that extensions help mitigate against this a bit, since extensions are explicitly versioned and distributed from an authority that can sign that specific code. This is marginally better, but extensions will also update without user knowledge or intervention. This cuts both ways; if a critical vulnerability is found, it can be nice to rush a fix out, but there's also the problem that an attacker can exploit this also, and for a period of time, their exploits can automatically update in every running browser.
not a dev but my understanding is can never be 100% confident you'll stop supply chain attacks so need to build in way were vulnerabilities aren't fatal, is that possible with web (vs app) dunno..
the other thought I had is something like wasm 'better' because its compiled code isn't it, not links to external libraries? is that why ldk/mutiny would go down that path.
all very interesting
and very relevant
reply