I think an even better policy is to let the browser prompt if the permissions that the extension demands are grossly above those required for its purported purpose.
It may seem like a hard machine learning problem, but it seems to me that one could catch the most blatant offenders easily-- changing background colors at \.facebook.com should not require the ability to communicate with malwarehost.com or the ability to read data across all websites.
Combine this with the fact that most extensions people install are not* malicious, and you already have a decent training corpus (to treat this as a one-class classifier)
I'd be happy just seeing prominent and clear icons for major threat types, e.g. access to personal data, elevated device access, and so forth. Make them large and suitably threatening. It wouldn't completely solve the problem, but it could take back a lot of ground.
It may seem like a hard machine learning problem, but it seems to me that one could catch the most blatant offenders easily-- changing background colors at \.facebook.com should not require the ability to communicate with malwarehost.com or the ability to read data across all websites.
Combine this with the fact that most extensions people install are not* malicious, and you already have a decent training corpus (to treat this as a one-class classifier)
Edit: escape characters