Et Tu, Grammarly?
79 comments
·March 29, 2025preinheimer
horsawlarway
Yeah, similar boat here. 1pass still breaks opening the chrome sidepanel UI from content scripts in other extensions. They screw up the trusted flag that indicates the event is coming from a user interaction.
Ultimately, as someone in the extension space for more than a decade now, Google is really at fault... Manifest v3 is just crappier than it should be in a LOT of ways (entirely outside the politics of the ad blocker changes - which is a whole different can o worms).
Overall, I think the quality of the chromium codebase feels a lot lower than it used to.
karaterobot
If you're injecting scripts or styles into unknown pages, the least you can do is namespace your variables.
bryanrasmussen
this really pisses me off because about 5-6 months ago I was doing an interview for a job that of course I did not get because old, and I talked about an instagram / branding startup thing I was the CTO of and main programmer in 2014 and how I made this build system to make sure that css classes and JavaScript objects were properly namespaced and how we made sure there was no potential collisions and the way we made sure exactly what scripts needed to be loaded on the page based on which of our widgets were on the 3rd party client site etc. etc. and at the end of it the guy interviewing me said dismissively there are tools that do that and everybody does that nowadays which I sort of had to agree they probably did because who knows, I'm not really doing that thing any more, and now it turns out they don't even.
on edit: fixed some grammar
elros
In any case sounds like you dodged a bullet :-)
mopenstein
I wonder what would happen if you cut your salary requirements in half. Would they still reject you on your age or what? And if so, would they reject you if you slashed it in half again? And keep slashing until they hired you. Just as an experiment
bryanrasmussen
I'm not somewhere you earn SV wages, so half my wage would be less than a junior gets paid in my country, and half that again would be less than I get for unemployment. Given market conditions I have dropped 10-15% off asking price but I don't think it is worth that much more for me to drop, given that if I can't get at that I probably can't get.
also, yeah, what the neighboring comment said - you do seem to think I should consider working for free...
mvid
“There is no ageism, because you could work for free or at a loss!”
tikhonj
Hell, namespacing makes life easier even just for yourself. I wrote some browser automation in a previous role that was never going to be user-facing—it wasn't an extension—and it still proved useful to namespace things, both to clearly mark what we were inserting vs what was already there, and to avoid possible collisions.
MasterScrat
I'm out of the frontend field - what would be common ways to handle CSS namespacing these days?
echoangle
I don't know if this is what was meant by namespacing but i've seen '--{{ projectname}}-my-variable' before, so something like '--grammarly-rem' in this case.
the8472
or better yet: use shadow dom
jFriedensreich
Its frightening to see how many screenshares and recordings contain that green infestation as default on every website, not just the obvious visual disturbance (am i the only one who thinks the green is ugly and clashes with most websites colors?) that does not seem to bother users but the privacy and obvious attack vectors that come with it. Chrome can enable extensions only when needed why does no one do this? Why is this not the default on every browser?
mrweasel
I count myself fairly lucky to have colleague that care about these sorts of things. We have had meeting halted because it was obvious that some participants had certain extensions installed, AI assistants of various types, and some colleagues aren't comfortable with information potentially being picked up by a third party. So the meeting is halted until the extension is disabled.
the__alchemist
Clarify?
echelon
I suppose they're concerned so many people are blindly installing Grammarly without a sandbox.
I'm concerned too, but from the angle that writing on the internet is becoming less human, more robot protocol. Even when it's from humans.
As if bots weren't enough of a problem, imagine when social media is just people clicking on buttons: "write a funny response", "write a comment in disagreement", "write 'same'", etc.
ZeroTalent
> As if bots weren't enough of a problem, imagine when social media is just people clicking on buttons: "write a funny response", "write a comment in disagreement", "write 'same'", etc.
There are already extensions for this purpose.
replai.so and dozens others
financetechbro
[flagged]
olevzhyn
Hey. I’m an engineer at Grammarly Extension. First of all, I’m really sorry that our extension broke the UX on dbushell.com and caused the author to spend time and effort figuring this out.
That was never intentional, and we are using various techniques to prevent this from happening. Unfortunately, that wasn’t enough. The article clearly shows that there’s room for improvement.
We temporarily added an exception for dbushell.com as a quick fix. In the meantime, we’re working on a change to ensure proper style isolation; such issues must never be the case.
Thank you!
Aldipower
I've a similiar problem with Google Translate that breaks my web app. Users, using Google Translate, complaining my app is broken, but it was Google changing the state of my app from a higher meta level. Really bad practice..
I am trying to detect Google Translate and print a warning then.
netsharc
Maybe related, from 2 days ago: https://www.pewresearch.org/decoded/2025/03/21/how-a-glitch-... / https://news.ycombinator.com/item?id=43441880
MartijnHols
While Google Translate's interference sucks, with current browser tools, I don't think they can really operate any other way.
This is mostly because of cases where they need to translate a sentence like "[Click here] for more information". When translating it to another language, they may have to move the link to the end e.g. "For more information, [click here]". The only way to achieve that is to shuffle DOM elements around, which can cause interference with interactive apps.
There's still a lot the Google Translate team can do to reduce the interference they cause, but I don't think they can fully eliminate it without some new browser APIs.
kelvinjps10
But they are the owners of a browser
kstrauser
I passed this along to the engineering team.
stavros
This is fairly unrealted, but it irks me when one-line fixes like this sit for ages in backlog hell. I want a company where developers go "might as well fix that now, it's faster than writing a ticket for it".
I see people where I work not do this, and it drives me crazy. Our director of engineering will literally add tickets for himself to do things that would take less time to just do. At least I hear "I took a page from your book and messaged the person instead of adding a ticket for myself to message them" often, which is a good sign.
kstrauser
To be clear, I'm answering this purely from a personal standpoint and not talking about any particular employer, and this doesn't relate to this specific issue at all.
Yes, I totally agree. The point of processes is to enable a company to manage huge amounts of potential work. Sometimes, processes can get in the way of just doing the simple thing we all know needs to be done.
Buuuut, I've been on the other side of that, too. Someone asks me to make some change. Sure! That's a reasonable idea and it would improve things. Making the change would take about 20 minutes. However, 437 different systems expect that thing to have its current behavior, and updating them to use the new behavior would be quite the project. In a vacuum, the change is simple and shouldn't take long to implement. Not many things operate in a vacuum, though.
For example, it would take like 5 minutes to do a "find all" in the Nginx source code and fix the misspelling of "referrer" as "referer". It would take a lot longer to update the standards with the correct spelling, and every client and other server to use it, would be slightly more challenging.
stavros
Sure, but that's not what I'm talking about. That's not a change that takes 20 minutes, that's a change that takes years.
I'm talking about things like fixing a typo, where it literally takes multiple times the work to write the ticket than to grep for it, fix it, and push a PR.
quesera
> Our director of engineering will literally add tickets for himself to do things that would take less time to just do
I've done this. It irks me too, but sometimes I'm in organizational mode, and sometimes I'm in execution mode. :)
Also, I work in an environment[0] where all work is required to go through the formal tracker documentation flow (and all code changes must be approved by a second party).
So the ticket step is non-optional, and in fact required before work can begin -- we name branches with the ticket ID, so that Pivotal[1] can track the GitHub lifecycle.
[0] PCI-DSS, SOC 2, etc
[1] RIP :(
stavros
Yeah, I guess if you're in a regulated environment, you have no choice. Most companies have no excuse, though!
emptysea
At work we have a lot of sentry errors related to browser extensions doing weird stuff.
Chrome’s Google translate is also notorious for breaking react based sites.
It ends up being a tedious triage process to ignore each new extension issue. We use the client side filtering to reduce our ingest volume. In general we have to have a lot higher thresholds to handle the noise vs our backends.
MartijnHols
It's not just noise though; clients are actually experiencing crashes and other issues because of it. I wrote an in-depth article on the Google Translate extension's interference of React (and other webapps): https://martijnhols.nl/blog/everything-about-google-translat...
It's no wonder frontend has a lot more errors, after all it has to support so many more client variations than a typical backend. It can be very hard to make a big webapp that works well for everyone.
jgalt212
> At work we have a lot of sentry errors related to browser extensions doing weird stuff.
Are you referring to the "Object captured as exception" error which Sentry refuses to give any guidance on? We just end of filtering these out client-side.
emptysea
Ah yeah I remember that one, but can’t remember the origin.
A lot of times the reason sentry can’t do much is because the browser JS VMs have terrible/non-existent stack traces, especially true with things like unhandled rejected promises.
lelandfe
I wonder what one variable could be injected to most break the web. I’m feeling:
--primary-color: transparentxigoi
--serif: "Comic Sans MS"dbushell
How do you deal with hostile browser extensions?
Doctor_Fegg
Ah, my favourite complaint for the community website I run. "I can't see any photos on the adverts page." Are you running an ad-blocker? "Yes." What do you think an ad-blocker does...
netsharc
I guess you could figure out valid states for your page's DOM, and a few seconds after the page has finished loading, scan it for "hostile" elements and CSS styles, and delete them...
Having this idea and opening a random page (from The Guardian) on DevTools, somehow somebody's inserted scripts and iframes pointing to twitter.com.
kelvinjps10
But wouldn't you brake their extensions if the user wanted them to work?
eadmund
I don’t think that ‘hostile’ is really fair in this case, when ‘insufficiently competent’ will do (albeit at the cost of more syllables).
I am not a fan of Grammarly or their technical model, but I don think it’s fair to attribute malice when it is adequately explained by stupidity.
It’s been a long time since I did any front-end work: should both Grammarly’s extension and your own code use namespaced property names?
chuckadams
Any sufficiently advanced stupidity is indistinguishable from malice.
QuadmasterXLII
We tried applying cunningham’s law widely and it created disastrous incentives. It’s better to assume profitable yet destructive incompetence is malice.
dbushell
yep, it's in Grammarly's interest to namespace or scope their CSS in a way that doesn't conflict. Not doing it adequately goes both ways, website CSS could break their extension, or their extension could break the website.
MartijnHols
Unfortunately browsers don't really provide good solutions for extensions that need to inject or change sites. Look at Google's owner in-browser translate extension, its DOM manipulation breaks many interactive apps as well. There are no tools available in browsers for it to not need to do that.
amelius
At this point, I'm not installing any browser extensions, period.
gs17
OP's problem wasn't that they had it installed, it's that enough of their users did to make it a problem when it breaks the site's CSS.
bmacho
Browser extensions are the equivalent of running random .exe on your computer except that you have to trust every vendor protecting their keys forever due to the autoupdate.
silvestrov
The biggest problem with browser extensions is that the source code (both css and javascript) is not easy to read/check.
There should be an easy "view source" for extensions inside Chrome and extensions should be mandated to ship non-minimized code.
kelvinjps10
Not even ublock?
bufferoverflow
But our users do.
WJW
Uninstall them?
dbushell
If only I could opt-out, disable, or uninstall those used by visitors to my website when the extension breaks it :(
diggan
Not much you can do, user agents continue to act as agents for the users, meaning you can serve them stuff but beyond that it's up to them to dictate their experience, for better or worse.
It really sucks when extensions do fudgy stuff in global space and sometimes break your stuff though, agree. Best approach I've found is to have a help page you can link to so people can go through the typical steps of "disabling all extensions, clearing cache, etc, etc" when things break in very unexpected way and you find no causes for it.
MartijnHols
Makes me wonder if you can use this to hijack their plugin. At the very least you should be able to inject text into it, but you can probably render a pretty little login form as well, abusing the trust the user has in their extension. Is injecting elements into a document controlled by others really safe?
echoangle
How would this work? They are injecting CSS into your page, but you can't inject anything into the extension UI from a website. The only thing you could do would be to emulate the extension UI in your website, but for that you don't need to inject anything. You can just copy the design.
MartijnHols
The article mentions they inject a web component. I imagine a bad actor could add something to that. In this case at the very least the author could add a "I hacked your Grammarly extension" text just via CSS, but I'm sure you can go much further, even more so with other extensions (eg password managers).
echoangle
But you could also just add you own lookalike web component to you page that looks like the grammarly one. If people enter credentials there, it's user error.
nikolay
I am happy with Microsoft's free grammar checker extension - Microsoft Editor [0], which supports foreign languages as well... although I still pay for Grammarly. Microsoft's works more smoothly and on more sites, including Hacker New!
[0]: https://chromewebstore.google.com/detail/microsoft-editor-sp...
jgalt212
- Access your data for all websites
- Display notifications to you
- Access browser tabs
I guess we know why Grammarly never has any problems raising more funding.
My extension problem story is a bit different. We distribute an extension that makes it easy to switch between proxy servers for geolocation testing.
I ran my worst client demo ever a few months ago. It was like our product simply didn’t work. A lot of pulled hair and frustrating debugging later we discovered that a recent update to the 1Password extension broke ours. They were subscribing to an auth event, but not returning, this timed out so our subscriber was never called. So our extension would tell the browser to change proxy servers, then sit ready to provide credentials, but the request would never come. 1Password’s support team was better than grammerly’s, but it’s hard to convince an unknown PM to prioritize something, especially if you’re speaking to them via a support team.
We’ve since discovered that there’s some Russian extension you need for government websites that has the same issue.