Chrome extension v4.9 requires full access to read & change data on all websites #2655
Comments
|
I'm on the same boat, I won't use Yoroi again with such invasive permission. |
|
The permission is an industry-standard for wallets that provide dapp-interoperability functionality, see MetaMask for example
The actual access the extension will have is controllable in browser extension settings after you accept the permission (see
You can choose the option "On selected websites" and leave the whitelist empty which will make the extension have no access to any of the websites at all. A separate version of the extension that does not request that permission is being considered, but will be available later, if at all. |
|
@vsubhuman Nice to hear that workaround, thx. |
|
Uninstalling it unless this is reversed. My first reaction was: Has Yoroi been hacked? |
Have you seen the part where you can configure your browser to technically give Yoroi no access to any websites at all? #2655 (comment) |
|
This is bad design and it is bad for the Cardano ecosystem. A browser is the portal to a lot of sensitive stuff. For all that are not that savvy, or are installing it for the first time without looking at the permissions basically let Yoroi run with sudo on their whole web life. There is only one app I trust with that: My passwordmanager. |
|
the workaround suggested by @vsubhuman makes Yoroi unusable. All transactions appear as failed and ledger transactions do not work either. Edit: Looks like this is another major bug and seems to be reported in other issues. |
Transaction status or passing from within the Yoroi has absolutely no connection to the code-injection whatsoever. The dapp-connection functionality is disabled in the current version 4.9.1 anyways, so there's no real injecting going on yet until the next version, whether you disable it in the browser or not. Our backends are experiencing slowdowns at the moment, which we are working to resolve. A completely unrelated issue. |
|
@vsubhuman for the sake of good faith I followed your instructions and enabled the extension. FWIW I can't enable "selected sites" without adding at least one, so I just added https://yoroi-wallet.com/ as the most suitable "dummy" entry. Removing that switches the setting back to "On Click". (To be fair, I also didn't know "On Click" was the default and that's reassuring.) That being said I think the problem remains that this looks bad. The only UX presented to the user is basically "your Cardano wallet now wants to access everything you do on the web everywhere, accept it or you're locked out." Prompting that message for an app where the reason is non-obvious and expecting users accept it blindly is training them to follow bad personal security practices, and "well Metamask did it" isn't really a counter argument. They shouldn't either. The users who don't do that will think it's shady, like me (my first reaction: are they compromised?), and maybe some number will understand the ins and outs of Chrome extension permissions already and will subsequently configure it to their liking. I do appreciate that the underlying reality is less onerous than it seemed, so I'm satisfied that I can re-enable Yoroi, but I'm concerned by you adding the "not-an-issue" label to this. I apologise if I seem like I'm not assuming good intentions here, I truly am, I merely want to highlight and contextualise why this is is an issue worth solving. I would continue to urge you to make this a runtime/optional permission in order to a) not scare users off, and b) not encourage users to accept broad permissions asks like this blindly. If you make it optional, then when you do roll out the dApp functionality you can put a big honkin' button in the wallet page asking users to click to enable cool things, or whatever other opt-in mechanic works best. But you shouldn't be surprised by the reaction here. |
|
Whats more annoying is the fact that my yoroi extension disables based on these new permissions. I've had to restore my wallet twice now.. |
Why do you have to restore the wallet? Some Chromium version disable the extension instead of requesting the permission but all you need to do is go to browser extensions and enable it back which will prompt you to accept the permission. Which browser and version are you using? |
My MM had "On click" for site access though. I don't think I ever configured that. Re-enabling Yoroi defaulted to "On all sites" for me. I don't think its reasonable to expect all users to go tweak the Chrome extension settings. (Hi) |
Extension developers cannot affect which option will be set in the browser settings , only user can change it |
This is good input, thank you, @dchevell! It is being clarified and estimated atm, it is possible that next versions of Yoroi will switch to optional permissions. Product and design decisions are being made atm. |
|
+1 very important to not have this permission or to make it optional. |
Hi team,
I see the latest version of the Yoroi browser extension now requests the permission "Read and change all your data on all websites" permission in order to be enabled. I understand that this helps to enable dApp functionality etc, but with all respect, this is an unacceptable required permission for anyone not looking to use such features.
I'd like to suggest this be made an optional permission that is requested at runtime.
For now, I'd rather not re-enable the extension whilst such open ended access is required.
The text was updated successfully, but these errors were encountered: