The problem is that extension behaviour is very limited without the https://*/* permission.
Say you have an extension that implements spelling check or grammar check. That need access to every single website to find the text fields it want to add functionality too.
Same thing with a password manager extension, can't find the login boxes without the https://*/* permission.
You want to read data off any page users are on, or add ui elements to every page users are on, or modify style shares to any page, you need that global permission.
About the only extensions that don't need global https permissions are extensions that are designed to only work on a finite set of websites (facebook improvement extensions, or reddit improvement extensions), or things like push-bullet that don't really need to be a chrome extension in the first place, they could be implement as a system tray applet.
This isn't the fault of extensions, this is the fault of chrome for not providing ways to do things without full wildcard https://*/* permissions.
Pushbullet actually has a desktop application with a tray applet. But if you keep your browser running 24/7 it might well be worthwhile to use an extension instead of another piece of software that installs separately, and has more access to your computer.
It should be possible to have an extension interface that allows a spellchecker/grammar checker to get a button on text input fields such that if you click it, then the extension is activated on that field at that time. That seems like a much better Least Privilege design to me than giving the extension access to... literally everything you do.
Say you have an extension that implements spelling check or grammar check. That need access to every single website to find the text fields it want to add functionality too.
Same thing with a password manager extension, can't find the login boxes without the https://*/* permission.
You want to read data off any page users are on, or add ui elements to every page users are on, or modify style shares to any page, you need that global permission.
About the only extensions that don't need global https permissions are extensions that are designed to only work on a finite set of websites (facebook improvement extensions, or reddit improvement extensions), or things like push-bullet that don't really need to be a chrome extension in the first place, they could be implement as a system tray applet.
This isn't the fault of extensions, this is the fault of chrome for not providing ways to do things without full wildcard https://*/* permissions.