userscripts icon indicating copy to clipboard operation
userscripts copied to clipboard
verified publisher icon quoid

Improve scripts automatic update logic

Open ACTCD opened this issue 3 years ago • 6 comments

  • [x] Remove popup initialization update check blocking
  • [ ] Users can customize global scripts update check switch
  • [ ] Users can customize single script update check switch
  • [ ] Users can customize the global update check interval
  • [ ] Periodic script update check in background and store the results
  • [ ] Alerts for updates via the "red dot" indicator, popup, and extension pages
  • [ ] Users can customize whether to enable background silent update without review (should double-confirm to enable this option)

Users can manually check for script updates, or enter the update interface through the update alerts when the update check is enabled.

Script updates always recommend manual confirmation by the user, during this process, users should be prompted to review the script code to ensure that no malicious code is introduced into the update.

Ref: https://github.com/quoid/userscripts/issues/211 https://github.com/quoid/userscripts/issues/181#issuecomment-995264142

ACTCD avatar Sep 28 '22 10:09 ACTCD

Came here to create a suggestion for this, but pleasantly surprised to see it's an active work in progress. Thanks for the awesome app/extension!

xadamxk avatar Oct 07 '22 17:10 xadamxk

Script updates always recommend manual confirmation by the user, during this process, users should be prompted to review the script code to ensure that no malicious code is introduced into the update.

My two cents: normal practice is to only prompt if an update causes permissions to change (changes to grant, connect, etc.). If permissions haven't changed, you're just asking asking users to review source code, and most people aren't programmers. Also, constantly asking people to confirm updates trains users to tune it out and just click "confirm" without looking at it. Only asking for confirmation when there's something worth looking at means users are a lot more likely to pay attention.

I update my script whenever it makes sense, since I know users aren't being nagged with update confirmations every time unless they've asked to be. I avoid making changes to permissions whenever possible, since I know that'll annoy everybody with an update prompt.

This is why we have tags like grant in the first place, to put security-sensitive changes in a form that's easy to review and to explain to users.

ppixiv avatar Nov 06 '22 20:11 ppixiv

Thanks for the feedback @ppixiv

if an update causes permissions to change (changes to grant, connect, etc.)

I like this idea.

just asking asking users to review source code, and most people aren't programmers constantly asking people to confirm updates trains users to tune it out and just click "confirm" without looking at it

I agree that for a good portion of users (likely most), they will simple click OK to the updates without looking. I don't think this behavior changes if updates require confirmation always or just when @grant values are different.

Fundamentally, I think the extension and app should promote due diligence and good security practices even if users decide to ignore them.

We might be able to encourage that by simply making users opt-in to auto updates and if they decide to toggle it on, compelling them to confirm that decision with some sort of confirmation modal that explains the benefits and dangers of doing so. Once it's toggled on, user scripts can simply auto update. Just another idea...

quoid avatar Nov 06 '22 21:11 quoid

@ppixiv

Thanks for the comment, it makes sense. But I am equally concerned about the following:

  • Even though we only prompt when @grant changes, most users will still just click "confirm" without looking like you said
  • Permission checks do not guarantee that there is no malicious code, it is an illusion of security
  • Scripts can introduce new malicious code without changing permissions

Also, I want to say that you misunderstood what I meant by writing this sentence. I'm not saying we require the user to check every time, I'm just pointing out that's the recommended practice.

Actually if you look at the features I listed above you will find that the choice is always the user, we advise and remind the user what to do, but we don't have any enforcement policies.

ACTCD avatar Nov 06 '22 21:11 ACTCD

I was responding to "Script updates always recommend manual confirmation by the user, during this process, users should be prompted to review the script code", which does seem to say that script updates always recommend the user to confirm it.

I agree that prompting the user isn't perfect, no matter how it's done. We can't expect users to pick apart the different sorts of threats: grants giving a script access to unrelated sites, and scripts without any grants at all doing something nasty with the site itself. It's a broader problem that every platform struggles with. In one sense userscripts are in a better place than mobile apps, since GF requires that unobfuscated source be available. Most users won't squint at the source, but it's possible for others to do so, which is a disincentive to try to sneak things in.

ppixiv avatar Nov 06 '22 21:11 ppixiv

@ppixiv

which does seem to say that script updates always recommend the user to confirm it.

Yes, we recommend that users always review and manually confirm. But we will never force users to do so.

ACTCD avatar Nov 07 '22 00:11 ACTCD