Here’s a technical analysis on why that’s not feasible:
- Plugins should be able to execute Javascript code in the main execution context. While it is possible to attempt to sandbox the plugin script, it’s mostly pointless because there are probably a thousand Javascript context escape possibilities, and we can’t plug them one by one.
- Because plugins must be able to execute code, there will be APIs available that we will be unable to restrict access to specific functionality like networking. An example would be the
child_processNodeJS library, without which plugins won’t be able to run scripts, usegit, etc. If that’s exposed then plugins could in theory do anything they want by executing the right programs. - There’s no way to “automatically” detect such things because the Javascript API is huge. There are many ways to “hide” code execution like
eval,new Function(), etc. There’s a lot of potential places to exfil your data, for example, sneak the data into a URL for a font inside the CSS. - Manual reviews are impossible - not only because we don’t have enough time to review everyone’s plugin, but also because humans are fallible. A clever plugin maker can easily hide more code on a remote server that is inserted using some sneaky code we don’t understand well.