Woah, I happened to stumble on this bug by accident.

This would be inconsistent with other permission prompts.
The extension ID is certainly less readable than the app name, but it is not spoofable.

Whatever we do, we should make sure to be consistent with regular prompts.

Deleted: Screen Shot 2016-07-06 at 18.28.57.png 63.2 KB

	Screen Shot 2016-07-06 at 18.28.57.png 63.2 KB View Download

Risk: A malicious extension could claim the same human-readable name as a good extension.

Mitigation: This is not the open web; the person would have had to have intentionally installed the malicious extension in the first place.

Counterpoint: Note the "intentionally" in the previous paragraph. There are ways — some, but not all, in Chrome's threat model — for Chrome installations to get malicious extensions without the person really intending it. (Attacker with physical access; 1 installation compromised and then Chrome Sync to all installations; et c.) It might be nice to have some last-ditch way of letting people know that the extension claiming to be "Good Nice Extension" is not the same as the *true* "Good Nice Extension".

Counter-counterpoint: We have the new UI that shows extensions that are installed (to the left of the hamburger menu). For reasons I don't understand, only 2 of my 4 extensions have icons there, though.

On balance, I lean toward showing the human-readable strings, just because the random Chrome extension ID looks un-polished/accidental/confusing in this context.

Idea: we could mitigate the risk of human-readable-name-squatting by requiring that 2 distinct extensions to have names that are sufficiently different (as measured by normalizing the names and then calculating edit distance). We could either disallow the 2nd extension to install, or could show it with a degraded/warningful UI. I'd lean toward not allowing them to install or even to upload to the store. And also scanning the existing extensions.

Spaces = re.compile(r"\s+")
EditDistanceThreshold = whatever

def normalize_confusables(string):
  # ftp://ftp.unicode.org/Public/security/revision-02/confusables.txt
  return TODO

def normalize_human_readable_name(name):
  return normalize_confusables(Spaces.sub("", name).lower())

def names_too_similar(name1, name2):
  return editdistance.eval(normalize_human_readable_name(name1), normalize_human_readable_name(name2)) < EditDistanceThreshold

What about extensions that change their name? Apparently this is allowed (and easy – just change your manifest).

If we're going to show a name, could we at least identify it as an extension?

The extension "Your computer" wants to use your microphone.

(vs: Your computer wants to use your microphone.)

I am working on a CL that puts extension name in quotes in the chooser title. If the it is from a website, then no quote is needed.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a29e116d910898c6f783a2d23cba17a20b5c503c

commit a29e116d910898c6f783a2d23cba17a20b5c503c
Author: juncai <juncai@chromium.org>
Date: Wed Jul 13 02:53:34 2016

Display extension name on device chooser title

When WebBluetooth is used from chrome-extension page, the chooser title
displays Chrome extension ID. It would be better to display the extension
name if it exists. This CL fixes it.

BUG= 626149 

Review-Url: https://codereview.chromium.org/2122073004
Cr-Commit-Position: refs/heads/master@{#404934}

[modify] https://crrev.com/a29e116d910898c6f783a2d23cba17a20b5c503c/chrome/app/generated_resources.grd
[modify] https://crrev.com/a29e116d910898c6f783a2d23cba17a20b5c503c/chrome/browser/chooser_controller/chooser_controller.cc
[modify] https://crrev.com/a29e116d910898c6f783a2d23cba17a20b5c503c/chrome/browser/chooser_controller/chooser_controller.h
[modify] https://crrev.com/a29e116d910898c6f783a2d23cba17a20b5c503c/chrome/browser/ui/cocoa/extensions/chooser_dialog_cocoa_controller.mm
[modify] https://crrev.com/a29e116d910898c6f783a2d23cba17a20b5c503c/chrome/browser/ui/cocoa/website_settings/chooser_bubble_ui_cocoa.mm
[modify] https://crrev.com/a29e116d910898c6f783a2d23cba17a20b5c503c/chrome/browser/ui/views/chooser_content_view.cc
[modify] https://crrev.com/a29e116d910898c6f783a2d23cba17a20b5c503c/chrome/browser/ui/views/chooser_content_view.h
[modify] https://crrev.com/a29e116d910898c6f783a2d23cba17a20b5c503c/chrome/browser/ui/views/extensions/chooser_dialog_view.cc
[modify] https://crrev.com/a29e116d910898c6f783a2d23cba17a20b5c503c/chrome/browser/ui/views/extensions/chooser_dialog_view.h
[modify] https://crrev.com/a29e116d910898c6f783a2d23cba17a20b5c503c/chrome/browser/ui/views/extensions/chooser_dialog_view_browsertest.cc
[modify] https://crrev.com/a29e116d910898c6f783a2d23cba17a20b5c503c/chrome/browser/ui/views/website_settings/chooser_bubble_ui_view.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a29e116d910898c6f783a2d23cba17a20b5c503c

commit a29e116d910898c6f783a2d23cba17a20b5c503c
Author: juncai <juncai@chromium.org>
Date: Wed Jul 13 02:53:34 2016

Display extension name on device chooser title

When WebBluetooth is used from chrome-extension page, the chooser title
displays Chrome extension ID. It would be better to display the extension
name if it exists. This CL fixes it.

BUG= 626149 

Review-Url: https://codereview.chromium.org/2122073004
Cr-Commit-Position: refs/heads/master@{#404934}

[modify] https://crrev.com/a29e116d910898c6f783a2d23cba17a20b5c503c/chrome/app/generated_resources.grd
[modify] https://crrev.com/a29e116d910898c6f783a2d23cba17a20b5c503c/chrome/browser/chooser_controller/chooser_controller.cc
[modify] https://crrev.com/a29e116d910898c6f783a2d23cba17a20b5c503c/chrome/browser/chooser_controller/chooser_controller.h
[modify] https://crrev.com/a29e116d910898c6f783a2d23cba17a20b5c503c/chrome/browser/ui/cocoa/extensions/chooser_dialog_cocoa_controller.mm
[modify] https://crrev.com/a29e116d910898c6f783a2d23cba17a20b5c503c/chrome/browser/ui/cocoa/website_settings/chooser_bubble_ui_cocoa.mm
[modify] https://crrev.com/a29e116d910898c6f783a2d23cba17a20b5c503c/chrome/browser/ui/views/chooser_content_view.cc
[modify] https://crrev.com/a29e116d910898c6f783a2d23cba17a20b5c503c/chrome/browser/ui/views/chooser_content_view.h
[modify] https://crrev.com/a29e116d910898c6f783a2d23cba17a20b5c503c/chrome/browser/ui/views/extensions/chooser_dialog_view.cc
[modify] https://crrev.com/a29e116d910898c6f783a2d23cba17a20b5c503c/chrome/browser/ui/views/extensions/chooser_dialog_view.h
[modify] https://crrev.com/a29e116d910898c6f783a2d23cba17a20b5c503c/chrome/browser/ui/views/extensions/chooser_dialog_view_browsertest.cc
[modify] https://crrev.com/a29e116d910898c6f783a2d23cba17a20b5c503c/chrome/browser/ui/views/website_settings/chooser_bubble_ui_view.cc

Security>UX component is deprecated in favor of the Team-Security-UX label