github-dark-theme icon indicating copy to clipboard operation
github-dark-theme copied to clipboard

Published 20 hours ago verified publisher icon poychang

Require only minimal permissions

Open bershanskiy opened this issue 4 years ago • 11 comments

Summary

Great extension, however I believe it could be even better if it did not require access to "all pages you visit". I believe this permission is unnecessary and can be replaced with permission to access only github.com and related domains. Other people care about permissions too: #35

If you are interested, I can prepare a PR for this change.

User story

When I evaluate extension in the store (Chrome Web store, Microsoft Extension Store, Mozilla addons), I check extension's permissions and avoid any extension that requires too many privileges. I don't like extensions that have access to all sites and simply do not use them.

The problem

Manifest permissions currently contain stuff like this (manifest-ref.json as an example): https://github.com/poychang/github-dark-theme/blob/93e56540c54bf22e08aa3050defc221a9b05c19e/src/manifest/manifest-ref.json#L31-L35 (Other manifests contain similar permissions and they should be edited too).

"*://*/*" and "<all_urls>" are very general and generate this warning.

Solution

If this extension does not run outside GitHub (which it probably doesn't), it does not require such broad permissions. Instead extension can:

  • require access to official GitHub domains -- github.com and possibly some GitHub properties -- by listing them in the manifest, and
  • allow user to add self-hosted GitHub domains via optional permissions (call chrome.permissions.request. For details, see Chrome docs and MDN and this.

Related issues

#35

bershanskiy avatar Feb 03 '20 15:02 bershanskiy

Yea it gets a bit too crazy now sorry.. But I won't except updates any more from now on. Since I need to give you access to all site data and all browser tabs. That sounds overkill to me.

all_data

melroy89 avatar May 04 '20 23:05 melroy89

@danger89 I well know your concern even I promise it won't fetch and data from website and users. This issue is my primary fix now.

poychang avatar May 05 '20 00:05 poychang

@poychang Why does it need more permissions now?

Electw avatar May 05 '20 03:05 Electw

@Electw Firefox needs tabs permissions to get URL from current tab.

To access Tab.url, Tab.title, and Tab.favIconUrl, you need to have the "tabs" permission. link

poychang avatar May 05 '20 03:05 poychang

For anyone else (Firefox user) similarly concerned, can follow #174 this reply to turn off update.

poychang avatar May 06 '20 00:05 poychang

I do some research about other extension like Dark Reader, they have the same notification like this. image

poychang avatar May 06 '20 00:05 poychang

This means that the majority of us, who do not have enterprise accounts, are now forced to allow all domains just so that it works for enterprise github accounts. @cyrus-za say this at #174

This inspired me to split this extension into 2 different extension. The "GitHub Dark Theme" only work with github.com and gist.github.com (maybe you can suggest more as default). Another one "GitHub Dark Theme for Enterprise" has the custom domain feature and more settings to adjust.

At the mean time, I'll keep both of extension's theme work as the same. For me, I do not have GitHub Enterprise account. I only need the pure theme extension.

If you support this way, please thumb this up.

poychang avatar May 06 '20 00:05 poychang

@poychang

This inspired me to split this extension into 2 different extension.

There is a more elegant solution. Firefox has a dedicated contentScripts API that basically allows you to change content_scripts manifest key at runtime. Chrome doesn't have this API, but there is a small polyfill written in TypeScript. I might have time this week to implement it this way, if you would be interested in a PR.

Also: FYI, Chrome web store rules were updated recently and they now forbid "repetitive content" or "duplicate extensions" from the same developer. The official public mailing list had a few people complaining about take-downs (even though that's not a support list).

bershanskiy avatar May 06 '20 22:05 bershanskiy

@bershanskiy It looks like a good way to try. Change with browser.contentScripts.register API can remove <all_urls> and *://*/* setting in manifest. If you have time to make this happen I'll very appreciate.

poychang avatar May 07 '20 01:05 poychang

The all website permission is definitely outside my comfort zone too. This comment on another issue suggests setting this extension to not automatically update, so I grabbed the older version before this change (1.0.52) and did so. This is an okay workaround for now, but it's not ideal.

I don't use Dark Reader specifically because it can access all sites and that's an access concern - especially if the account of the extension publisher is compromised and it automatically updates the extension to misuse that access. At least when you don't request that permission, if such were to happen it would warn about a permissions change and I'd block it. Can't do that if it already has all the access.

ashleywaite avatar Sep 08 '20 01:09 ashleywaite

Just adding a note that you can manually enable/disable this on Chrome to pick and choose which sites are affected: image

Or from the chrome extensions settings page: image

RedSparr0w avatar Oct 25 '20 03:10 RedSparr0w