castkodi icon indicating copy to clipboard operation
castkodi copied to clipboard
verified publisher icon regseb

Work without "access your data for all websites" permission

Open Zocker1999NET opened this issue 3 months ago • 1 comments

Describe the problem

I want to reduce the security impact from any hijacked add-on as good as possible, solely based on the principle of least privilege.

I do mainly two things with this add-on:

  • remote-control Kodi with the integrated remote (to play videos Kodi has already access to)
  • send concrete links to Kodi (right-click, send to Kodi)

With my current understanding (feel free to correct me), I see no reason for CastKodi to have the "access your data for all websites" permission, at least in my case. (I assume this feature is required for the buttons in the top row & not for explicitly casting a link via right-click.)

Describe the solution you'd like

Allow using the add-on without this permission when the user acknowledges the reduced feature set. I.e. make the following warning able to be skipped:

Image

Environment

  • Cast Kodi version: 7.13.0
  • Browser version: 142.0.1
  • Kodi version: N/A
  • Kodi add-on version (if appropriate): N/A

Zocker1999NET avatar Sep 18 '25 20:09 Zocker1999NET

Cast Kodi requests host_permissions to access websites without cross-origin restrictions using fetch(). This permission also grants many rights that are not used by the extension. I would like to request only the right to bypass CORS, but there is no permission for that.

host_permissions are requested for all websites, because the extension must access:

  • The Kodi WebSocket, which can be at any address: 192.168.0.1, rpi.lan, etc.
  • Any website to search for a video.

I cannot request rights for only certain websites, as I do not know the list of websites the user wants.

There is the permissions.request() API to request permissions, but this would make the extension much more complicated to use.

  • To configure the Kodi address, each character entered by the user triggers a request to check whether Kodi is accessible at that address. This means that the user would have to be asked for permission for each character entered.
  • To search for videos on web pages, permission would have to be requested to access the page and also to access the URLs contained in the page (<iframe>, Open Graph, etc.).

If you have another solution that doesn't complicate the use of the extension, I'm interested.

regseb avatar Sep 20 '25 11:09 regseb