launchWebAuthFlow & trust...

[wadabum]

Hi, please consider removing the usage of chrome.identity.launchWebAuthFlow.

• you can replace it by either just grabbing my cookie (or however they do it)
  (Live Followlist for Twitch appears to work this way)
• or opening the flow in ACTUAL tabs so Addressbar & similar are visible.
  -- "serverless" there was some black magic about return-urls&extensionIDs,
  -- "with server" a simple JS landing to trigger a chrome.runtime.sendMessage(extensionID, ... ) should do it

Users have been trained for years to pay attention to domains, HTTPS and using password-managers,
this stupid popup chrome opens breaks all of those in the worst way possible.

Most importantly, it also seems to enforce "manual sign-in" on twitches end?
So even the "open the site yourself, login manually, now re-click the apps auth-button and see that you are logged in already" does not seem to work

launchWebAuthFlow is nice if "you want to login into a google account"
(AND you are also logged in with chrome itself into that very same google-Account)
- but for anything else its spooky a.f.

And by the looks they dont intend to change this (2014) https://groups.google.com/a/chromium.org/g/chromium-extensions/c/g82Gfx0m9P8

Thanks