Reduce Permissions to Google Search

[pableu]

The extension currently has access to all subdomains of all Google Domains (*://*.google.com/* and so on in manifest.json). This includes rather sensitive stuff such as drive.google.com, pay.google.com and myaccount.google.com.

It would be more trustworthy if it only requests access to *://www.google.com/* (and so on). This would more or less restrict it to the search itself, I think.

[GMaiolo]

Hi @pableu I remember I added *://*.google.com/* specifically for some edge case (some countries/ways of searching that were using subdomains I've never seen before and therefore the extension wasn't working).

As you can see in here I'm directly avoiding execution in any site that is not a search Google site.

Regarding trustworthiness, you can read the code, there should be no security issues as there's nothing obscure being done. Do you think it'd be better to specifically exclude certain Google sites?

[darthwalsh]

+1, I was thinking the same thing.

The difference is that the current implementation is using JS to stop more JS execution, so I think scripts are still running on i.e. pay.google.com?

The code is secure right now, but it is possible to guarantee more security on updates. If the extension was updated to something malicious, there wouldn't be any notification for users when they update.

If instead the manifest declared less permission, then an update wouldn't be able to get more permissions without asking the user: https://developer.chrome.com/extensions/permission_warnings#update_permissions

[GMaiolo]

I agree. We'd need to validate a lot of use-cases though and I don't have much free time to do this right now.

Added the help wanted label to see if anybody else could send a PR with tested and reduced accesses, otherwise I'd tackle this myself when I'm available.

Thanks for the suggestions and for bringing this to my attention @pableu @darthwalsh