Image

Deleted: img.png 10.8 KB

	img.png 10.8 KB View Download

And what if 1000 sites are listed? 

With 1000 sites from www.example.aaa to www.example.jjj, it shows 984.

These are missing:

$ diff expected listed
    12,13d11
    < www.example.abb
    < www.example.abc
    47d44
    < www.example.aeg
    87d83
    < www.example.aig
    113d108
    < www.example.bbc
    127d121
    < www.example.bcg
    184d177
    < www.example.bid
    202d194
    < www.example.cab
    211d202
    < www.example.cba
    242d232
    < www.example.ceb
    251d240
    < www.example.cfa
    254d242
    < www.example.cfd
    304d291
    < www.example.dad
    641d627
    < www.example.gea
    825d810
    < www.example.ice
    922d906
    < www.example.jcb

Deleted: test-1000.zip 2.3 KB

test-1000.zip 2.3 KB Download

10,000 sites and my browser freezes

Deleted: test-10000.zip 17.5 KB

test-10000.zip 17.5 KB Download

Able to reproduce this issue on reported version 65.0.3325.181, on latest beta 66.0.3359.66 and on latest canary 67.0.3387.0 using Mac 10.13.3, Ubuntu 14.04 and Windows 10.

Observations: 1Issue is seen in old extensions -- Here only few links are seen in permissions tab.

2. In Md-extensions only 984 links are seen (Checked by pasting those to excel and observing count).

As this issue is seen from M-60, considering this issue as Non-Regression and marking as Untriaged.

Thanks!

Deleted: Md-Extensions in M-63.png 28.6 KB

	Md-Extensions in M-63.png 28.6 KB View Download

Deleted: Old extensions.png 56.4 KB

	Old extensions.png 56.4 KB View Download

Deleted: Old extension sometimes.png 245 KB

	Old extension sometimes.png 245 KB View Download

We did this somewhat on purpose to try and not overwhelm the user.  That said, I don't know that it's necessarily helping, and it can be misleading.

meacer@, do you have thoughts on this from an enamel perspective?

I didn't realize we suppressed same hosts with different ccTlds. It doesn't sound good to suppress when few hosts are present.

For large number of hosts, is it possible to do something like this?

"
This extension can:
- Read your data on example.com, example.co.uk, example.de and 997 other sites.
"

"Other sites" could be linkified and display the whole list when clicked (with an appropriate upper size bound)

Yep, we already do this (more-or-less).  See screenshots.

I think one of the reasons we tried to get "distinct" hosts is because we didn't want to list google.[x] a hundred times, since it's not *terribly* useful to the user, and it can distract from another host in there (e.g., a single example.com amidst 100 google.coms).  That said, this is obviously much less helpful when the hosts really are very distinct entities.  Another reason is probably that we were worried about scaring people if an extension just wanted to run on google, but because of that had to request 100 different hosts.  But, being scary might not be wrong here.

I'm open to just showing all the TLDs, but this would be a pretty significant behavior change.

Deleted: Selection_017.png 12.1 KB

	Selection_017.png 12.1 KB View Download

Deleted: Selection_018.png 14.4 KB

	Selection_018.png 14.4 KB View Download

Deleted: Selection_019.png 12.9 KB

	Selection_019.png 12.9 KB View Download

Understood. And thinking again, I think this is a reasonable grouping heuristic. Obviously www.example.aaa...www.example.jjj is much less of a problem since most of those TLDs don't exist today.

Perhaps a minor tweak could be to say "All example.com sites" instead of "example.com" for [example.com, example.com.br etc], but otherwise the current behavior strikes a good balance between usability and security.

I think the largest concern is when the TLDs are very different entities.  e.g., ca.gov vs ca.com.

On the one hand, we can hope that the user will associate the "scariest" TLD with the warning, but on the other, sometimes these can be significantly different - and the TLD may carry some weight (e.g. some users may say that any extension requiring any .gov is scary).  We make the mostly-arbitrary designation that .com is "the most important" TLD, but it isn't always...

Issue 894017 has been merged into this issue.