copyguard icon indicating copy to clipboard operation
copyguard copied to clipboard

Published 20 hours ago verified publisher icon roedesh

Firefox extension ask for access your data for all websites

Open kaushalyap opened this issue 3 years ago • 10 comments

I checked Firefox version of the extension it use Access your data for all websites permission which seems invasive.

Screenshot from 2020-12-29 21-18-47

But Chrome extension does not use a such permission

Screenshot from 2020-12-29 21-25-33

kaushalyap avatar Dec 29 '20 15:12 kaushalyap

Thanks for bringing this up. That does seem a bit too invasive.

It seems that Firefox shows that warning because my extension can inject a content script into any tab, whenever it wants.

There is a less intrusive permission called activeTab which does not show that warning, but requires the user to perform an action within that tab before my extension can inject its script. This is a problem because:

  • If the user forgets to perform such an action, my extension will not inject its script, and you won't receive a warning when your clipboard data was altered. It seems a bit counter intuitive to me to require the user to manually activate my extension in each tab.
  • Ideally my script runs before any other scripts, due to event bubbling

Perhaps I should add an explanation to the Firefox extension for the "Access your data for all websites" permission?

I'm open to suggestions.

roedesh avatar Dec 30 '20 15:12 roedesh

There is a less intrusive permission called activeTab which does not show that warning, but requires the user to perform an action within that tab before my extension can inject its script.

Why do you need to inject a script? Cannot you detect clipboard changes using clipboardRead, clipboardWrite permissions? Cannot you keep the history of clipboard related to a particular URL and detect clipboard changes from there.

kaushalyap avatar Dec 31 '20 01:12 kaushalyap

I need the content script to listen for the "copy" event and to get the current text selection.

roedesh avatar Dec 31 '20 02:12 roedesh

Seems like Firefox clipboard API is not ready yet

The clipboard API enables an extension to copy items to the system clipboard. Currently the API only supports copying images, but it's intended to support copying text and HTML in the future.

kaushalyap avatar Dec 31 '20 14:12 kaushalyap

I wonder how you do things in Chrome extension? Do you inject a script in there also?

kaushalyap avatar Dec 31 '20 14:12 kaushalyap

I wonder how you do things in Chrome extension? Do you inject a script in there also?

Yes, the extension works identical in all versions (Chrome, Firefox and Edge). I use the webextension-polyfill so its a single code base for all versions.

roedesh avatar Dec 31 '20 14:12 roedesh

Okay you may add a note about Firefox permission to the README

kaushalyap avatar Jan 01 '21 01:01 kaushalyap

Thanks for bringing this up. That does seem a bit too invasive.

It seems that Firefox shows that warning because my extension can inject a content script into any tab, whenever it wants.

There is a less intrusive permission called activeTab which does not show that warning, but requires the user to perform an action within that tab before my extension can inject its script....

I'm open to suggestions.

Would it be possible for the "copy to clipboard" user action to be the action that triggers the script to be injected? Or would it be too late?

Thanks.

Gitoffthelawn avatar Mar 02 '22 08:03 Gitoffthelawn

Would it be possible for the "copy to clipboard" user action to be the action that triggers the script to be injected? Or would it be too late?

Unfortunately the browser extension API's do not provide such a feature. It would also be too late indeed (although only for the first time you copy) as the event listener will be added after the copy has been done.

The only way to inject the content script on all pages automatically, is to set the the allowed origins to http and https addresses, which, in Firefox, translates to "Access your data for all websites".

If I disable the automatic injection, it will get rid of the warning in Firefox, but the user will have to do a certain action like clicking on the browser extension icon, before I can inject the content script. They will have to do this on every visit.

roedesh avatar Mar 02 '22 11:03 roedesh

Thanks. That makes good sense.

I can't think of a really great solution, but I did come up with a possibility:

Firefox allows developers to set on-demand permissions for extensions. By default, the extension could not ask for the "Access your data for all websites" permission; instead it can provide a toolbar button or context menuitem to activate the extension on the current page. Separately, there can be an option to enable the extension for all pages. When the user enables that option, Firefox will prompt for the "Access you data for all websites" permission.

I don't love the above because it's a bit clunky (IMO), but it might be the only possibility (besides keeping things how they are).

Gitoffthelawn avatar Mar 02 '22 20:03 Gitoffthelawn

Has anything changed with the browser APIs that would allow an improvement per the OP's request?

Gitoffthelawn avatar Apr 08 '24 04:04 Gitoffthelawn