github-dark-theme
github-dark-theme copied to clipboard
Require only minimal permissions
Summary
Great extension, however I believe it could be even better if it did not require access to "all pages you visit". I believe this permission is unnecessary and can be replaced with permission to access only github.com
and related domains. Other people care about permissions too: #35
If you are interested, I can prepare a PR for this change.
User story
When I evaluate extension in the store (Chrome Web store, Microsoft Extension Store, Mozilla addons), I check extension's permissions and avoid any extension that requires too many privileges. I don't like extensions that have access to all sites and simply do not use them.
The problem
Manifest permissions currently contain stuff like this (manifest-ref.json
as an example):
https://github.com/poychang/github-dark-theme/blob/93e56540c54bf22e08aa3050defc221a9b05c19e/src/manifest/manifest-ref.json#L31-L35
(Other manifests contain similar permissions and they should be edited too).
"*://*/*"
and "<all_urls>"
are very general and generate this warning.
Solution
If this extension does not run outside GitHub (which it probably doesn't), it does not require such broad permissions. Instead extension can:
- require access to official GitHub domains --
github.com
and possibly some GitHub properties -- by listing them in the manifest, and - allow user to add self-hosted GitHub domains via optional permissions (call
chrome.permissions.request
. For details, see Chrome docs and MDN and this.
Related issues
#35
Yea it gets a bit too crazy now sorry.. But I won't except updates any more from now on. Since I need to give you access to all site data and all browser tabs. That sounds overkill to me.
@danger89 I well know your concern even I promise it won't fetch and data from website and users. This issue is my primary fix now.
@poychang Why does it need more permissions now?
@Electw Firefox needs tabs
permissions to get URL from current tab.
To access Tab.url, Tab.title, and Tab.favIconUrl, you need to have the "tabs" permission. link
For anyone else (Firefox user) similarly concerned, can follow #174 this reply to turn off update.
I do some research about other extension like Dark Reader, they have the same notification like this.
This means that the majority of us, who do not have enterprise accounts, are now forced to allow all domains just so that it works for enterprise github accounts. @cyrus-za say this at #174
This inspired me to split this extension into 2 different extension. The "GitHub Dark Theme" only work with github.com and gist.github.com (maybe you can suggest more as default). Another one "GitHub Dark Theme for Enterprise" has the custom domain feature and more settings to adjust.
At the mean time, I'll keep both of extension's theme work as the same. For me, I do not have GitHub Enterprise account. I only need the pure theme extension.
If you support this way, please thumb this up.
@poychang
This inspired me to split this extension into 2 different extension.
There is a more elegant solution. Firefox has a dedicated contentScripts
API that basically allows you to change content_scripts
manifest key at runtime. Chrome doesn't have this API, but there is a small polyfill written in TypeScript. I might have time this week to implement it this way, if you would be interested in a PR.
Also: FYI, Chrome web store rules were updated recently and they now forbid "repetitive content" or "duplicate extensions" from the same developer. The official public mailing list had a few people complaining about take-downs (even though that's not a support list).
@bershanskiy It looks like a good way to try. Change with browser.contentScripts.register
API can remove <all_urls>
and *://*/*
setting in manifest. If you have time to make this happen I'll very appreciate.
The all website permission is definitely outside my comfort zone too. This comment on another issue suggests setting this extension to not automatically update, so I grabbed the older version before this change (1.0.52) and did so. This is an okay workaround for now, but it's not ideal.
I don't use Dark Reader specifically because it can access all sites and that's an access concern - especially if the account of the extension publisher is compromised and it automatically updates the extension to misuse that access. At least when you don't request that permission, if such were to happen it would warn about a permissions change and I'd block it. Can't do that if it already has all the access.
Just adding a note that you can manually enable/disable this on Chrome to pick and choose which sites are affected:
Or from the chrome extensions settings page: