Hacker News Viewer

Top 20

Anthropic's Claude Desktop App Installs Undisclosed Native Messaging Bridge

by CGMthrowaway on 4/23/2026, 7:43:08 PM

https://letsdatascience.com/news/claude-desktop-installs-preauthorized-browser-extension-mani-4064fb1a

Comments

by: input_sh

Previous version that was [flagged] away from the homepage, even though I now see that the flag was since removed:<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=47829800">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=47829800</a> (125 upvotes, 34 comments)

4/23/2026, 8:55:29 PM

by: jmathai

I only learned about Native Messaging this week.<p>I&#x27;ve been hacking away at a browser-based tool that uses anthropic APIs on the backend. But what I really want is for the browser to talk to my local claude becuase I have MCPs, skills, network access for a bunch of things.<p>I started with a little proxy installed on my computer that the browser can call but knew it would never pass any security review. The alternative I didn&#x27;t originally know about was Native Messaging.<p>It&#x27;s a fairly benign way to let a browser talk to and execute commands on your computer. But doing it without disclosing is, I agree, very bad.<p>(tool I&#x27;m hacking away at needs to talk to local claude and acli: <a href="https:&#x2F;&#x2F;withlattice.com" rel="nofollow">https:&#x2F;&#x2F;withlattice.com</a>)

4/23/2026, 8:37:36 PM

by: midtake

Google Chrome installs a bunch of spyware too, nobody bats an eye

4/23/2026, 9:31:33 PM

by: horsawlarway

Personally, this is a nothing-burger.<p>This is how native messaging works in extensions. Apps declare via manifest that extensions can talk to them.<p>Further - the user still has to install the extension in the browser <i>and</i> the user has to approve the permissions popup that explicitly states the extension will have permission to &quot;Communicate with cooperating native applications.&quot; See: <a href="https:&#x2F;&#x2F;developer.chrome.com&#x2F;docs&#x2F;extensions&#x2F;reference&#x2F;permissions-list" rel="nofollow">https:&#x2F;&#x2F;developer.chrome.com&#x2F;docs&#x2F;extensions&#x2F;reference&#x2F;permi...</a><p>So it&#x27;s hardly undisclosed. Every user with the extension has accepted this permissions popup that communicates that this is happening and allowed.<p>(whether permissions prompts like this are actually helpful is a different topic).

4/23/2026, 8:51:46 PM

by: honeycrispy

I am beginning to suspect that Anthropic may not be as ethical as they purport themselves to be.

4/23/2026, 8:29:49 PM