Disclosure: I am a full-time engineer on the Google Chrome team. Sorry, but your solutions don't work -- believe me, we didn't want to do this but it was done to prevent malware injections and not to stop users from installing software they want (which is why we only block it on Windows, and we don't block it on Dev or Canary channels).
a) Block the extensions that don't come through the app store, but let the user enable them one by one -- without scary 'developer mode' (and opening up the floodgates)
Unfortunately, if we just let the user manually override the blocking, we would have to store that choice in a preference file. Malware on your computer could easily install a bad extension and set the override flag in the preference file, making the blocking effectively useless.
This is why the only way the user can opt in to side-loading (by turning on developer mode) prompts scary warnings every time you open Chrome -- so that if malware does this, users will know something is up. We can't let you opt in to side-loading and be silent at the same time.
b) Reputation systems -- allow 'reputable' extensions; revert to a) above for the rest. Google and the AV vendors don't want to get their hands dirty classifying useless shit nobody wants as the useless shit nobody wants, fine let the 'community' handle the reputation.
The reputation system just moves the responsibility around, but still fundamentally has the same problem. Now you need to run a full-time service that records the reputation for each extension, and needs to be resilient to gaming (for example, having a malware author controlling a botnet spam the reputation server with good reviews to increase their score).
And for anyone who really wants it, they can manually enable it.
That is exactly what the "developer mode" switch is for. Again, we can't have a preference to enable side-loading without also letting malware turn it on for unsuspecting users, unless it gives a scary warning. There are other ways to enable side-loading without having to see the warning every time you start Chrome:
- Use Mac OS or Linux.
- Use Dev or Canary channel.
- Use Chromium instead of Chrome.
I hope one of these solutions are acceptable.