Can we start a petition for Google to let us disable extensions on specific sites? After reading the last few stories about this, I am quite sure I don't want any extensions whatsoever running in the same tab as my Gmail account. I think there is some extension that does this for you (turns off other extensions per site), but then we get into a "who guards the guardians" situation.
Not to mention we need better and finer grained permissions for extensions in general, now that we use so many web apps with crucial data.
I achieve this by having multiple users in Chrome. My main user is signed into my google account and has no extensions installed and all plugins disabled, I only access gmail and google services with it.
My second user account is logged into basic services like HN, reddit, amazon and has only adblock and disconnect installed.
A third user is not logged in anywhere and has adblock and a half-dozen other extensions installed including UA switcher. No plugins installed and cookies + cache cleared every day.
4th user has all the anonimity extensions installed and has privoxy + tor set as the proxy
I use Facebook in a completely different browser again, YouTube and video watching in yet another and development in chromium.
7 or 8 different cookie stores, and a throwaway temp email account associated with the 3rd and 4th user for signing up to services.
Start out by creating a separate user for browsing sites and eventually develop your own way to split up your web browsing profiles.
This can get a bit messy when you try and access from tablet or mobikle , but I'd rather not have a single large profile and a huge exploit surface and sacrifice browsing history and remembering passwords.
Start off with two profiles and go from there. I use virtual desktops (spaces on OS X) to manage it. Space 2 is gmail, space 3 is logged in sites, space 4 is development, etc.
Once you get used to it you instinctively switch without thinking about it
I also created an app for OS X that creates temporary throwaway browser sessions for any supported browser you have installed:
security and privacy - separate rings of trust for different websites. to me the idea of trusting every website on the internet with all of your cookies, extensions and plugins is crazy.
Look into running separate sessions of your browser(s). Both Firefox and Google Chrome (or Chromium) allow you to do this, although the interfaces for doing so differ.
A simple way to do this is to use different brands of browser, e.g. Gmail in Chrome and everything else in Firefox. But... if you really prefer one browser over another, for all use, then the separate profiles thing works.
Note that in Chrome, this is now confused by the ability to change Google account log-ins. That is not a separate, browser-level profile with separate configuration.
Instead, you are looking for the command line invocation argument --user-data-dir (in *NIX, at least; IIRC the flag name may differ slightly in the Windows version).
For Firefox, there is the -p flag. IIRC, you have to combine it with another flag in order to ensure both that the profiles are running in separate invocations and that you can be prompted to choose what profile to use when you invoke Firefox.
Of course, you can create menu items / icons for these invocations to make them "clicky" and avoid having to go to the command line and enter them each time, if you prefer.
P.S. Yes, this will help you less if you insist upon clicking directly on/through links that are are e.g. mailed to you or, if you have Facebook in its own "box", posted on Facebook.
From that perspective, having per site browser extension variability might still be useful. But then, you're still looking at also controlling referer passing, cookies and other local data, etc., etc.
To run a new, separated Firefox with a (possibly) different profile
firefox -no-remote -ProfileManager
It's always handy to have a "vanilla" profile, to compare how much the extensions tuned down the browser or try to understand if the error that you're seeing is caused by an extension. Having a "privacy" profile with some ad-hoc extensions helps too.
Mind you, -ProfileManager actually opens to the full profile manager interface (where you select a profile to run, or create a new one, or whatever). You can load a specific profile (that already exists) directly by replacing "-ProfileManager" with "-P [profile name]". (Omitting the name will open the manager, too.)
Thanks. Sorry I mis-remembered the flag(s) from memory. And be sure you're using both, to make sure the separate profiles do not share the same process or something like that (again, from memory; Google can quickly turn up the details).
Your memory is right. Without -no-remote you would end up spawning another windows from the currently running firefox. Without -ProfileManager you can't choose a different profile.
It's also a good idea to use different themes per profile (and I see you suggested it too).
I tried running a Chromium session with no extensions for the stuff I want to be more secure (email/banking/etc.), while using Chrome for everything else, and this does work in a way. But I find that I tend to forget to switch to the other browser sometimes. A solution which said "don't run extensions on mail.google.com and online.my_bank.com" would be a lot more convenient.
The separate browser solution does protect from tracking, but with the security threats of today, like these malicious extensions with access to all your data, I've become desensitized to mere tracking.
I changed the color scheme for one profile (although, that involved installing and trusting the color scheme; I got mine directly from Google's site as opposed to a third party site).
An extra cue, when the border background, tabs, etc. look different in one versus the other. Still hardly foolproof...
Opera 12 has ability to disable access of specific extensions to https sites and/or private tabs (by default access to https sites is enabled and to private tabs is disabled). May be there is a hope that they implement it in Blink based Opera, but now they only have ability to disable access of specific extensions to private windows and have no private tabs at all.
Opera 12 is ancient history. Opera 18 is now basically Chrome without the ability to set a custom search engine as default. Even with sqlite hacks, there's no way to set DDG as default on the stable release versions.
Once an extension can modify the DOM (and most extensions need it) you loose any hope of permissions. From injecting javascript to sending data modifying an img[src], there's no way to protect your privacy. I don't think that permissions are a viable model here, it's more a problem of trust and auditing.
extensions have the option of working only on a set of domain. So you could only install gmail extensions that work only on gmail.com and not on * as 99.999% of the extensions does. Most need to, like referrer blockers and user agent spoofers. But we only need those global extensions because google actively removes those functionalities from chromium, on a regular basis, after someone in the community adds it. over and over again.
Chrome doesn't run extensions by default in incognito mode.
> Because Google Chrome does not control how extensions handle your personal data, all extensions have been disabled for incognito windows. You can reenable them individually in the extensions manager.
Keeping your gmail tab in an incognito window might be a good approach.
While it's a decent workaround, I wouldn't call it ideal, namely because it requires a second window open when you might be starved for screen real estate and also because accidentally opening your mail once in a normal window could cause damage.
The Ghost Incognito extension allows you to force certain sites to always use Incognito mode. I realize using an extension to accomplish this objective is somewhat ironic, but seems like it'd work in this case if you can trust that one extension.
Not to mention we need better and finer grained permissions for extensions in general, now that we use so many web apps with crucial data.