Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify (or reduce) seemingly excessive permissions #62

Closed
bhrutledge opened this issue Nov 5, 2019 · 3 comments
Closed

Clarify (or reduce) seemingly excessive permissions #62

bhrutledge opened this issue Nov 5, 2019 · 3 comments
Labels
enhancement question

Comments

@bhrutledge
Copy link

This looks like a great plugin, but I'm a little wary of this:

This add-on can:

Access your data for all websites
Access browser tabs

This is also mentioned in the reviews: https://addons.mozilla.org/en-US/firefox/addon/markdown-viewer-webext/reviews/1408997/.

Can you explain why this is necessary? Or reduce the scope of the permissions?
@Cimbali
Copy link
Owner

Cimbali commented Nov 6, 2019
edited

Hi @bhrutledge and thanks for a very interesting question ! I hadn’t looked at permissions for a while and it seems that some of them are superfluous now.

Here is the full list of permissions that is requested by the extension, which as you can see is much more fine-grain than what addons.mozilla.org reports:

https://github.com/KeithLRobertson/markdown-viewer/blob/ad0fe67586c7d1b21e3108b6541e467d393b6c32/manifest.json#L20-L30

(If you do not trust addons.mozilla.org checks this, you can download the extension, rename the .xpi to .zip, and look at the files from there rather than in this repository).

Required permissions

  1. Host permissions (aka “access data on all websites” on addons.mozilla.org)

    The add-on does not only work for local files, but also for files on the network. We only request access to file names with markdown extension, so for example *://*/*.markdown and *://*/*.md as you can see, but across all websites, hence the addons.mozilla.org presents this as “all websites”.

    For example accessing this raw markdown file causes it to get rendered:
    https://gitlab.com/gnutls/gnutls/raw/master/README.md

    NB: This does not work on raw github files, as these pages intentionally set a Content-Security-Policy header to block any addons from modifying the page, and we honour that request.

  2. storage (not mentioned on addons.mozilla.org)

    This is used to store (in synchronized storage, i.e. in your sync profile) the preferences, including additional CSS that you can apply to the rendered Markdown pages.

Obsolete permissions (removed since ce2962e)

Both tab-related permissions I believe were used before version 1.4.0 when we had a different mechanism to modify the pages (see release notes):

Previous versions required clicking a browser action icon to request permissions. This is no longer needed, and a lot of code supporting permissions management has been removed.

I’ll double check that removing these permissions causes no issues and will remove them if I can confirm they are no longer needed.

For context, the mechanism then worked by checking the URL for a markdown extension (which required the tabs permission), then requesting by prompting the user with a popup the permission (activeTab) to render the markdown page with browser.tabs.executeScript and browser.tabs.insertCSS. Now we inject our scripts in all pages that fit the patterns declared in the manifest (and abort their execution if the page does not seem to be markdown source).

For reference:

  1. tabs permission

    In most cases the permission just grants access to the API, with the following exceptions:

    • tabs gives you access to privileged parts of the tabs API: Tab.url, Tab.title, and Tab.faviconUrl. In Firefox, you also need tabs if you want to include url in the queryInfo parameter to tabs.query(). The rest of the tabs API can be used without requesting any permission.
      […]

  2. active tab permission (not mentioned on addons.mozilla.org)

    activeTab permission

    This permission is specified as "activeTab". If an extension has the activeTab permission, then when the user interacts with the extension, the extension is granted extra privileges for the active tab only.

    "User interaction" includes:

    • the user clicks the extension's browser action or page action
    • the user selects its context menu item
    • the user activates a keyboard shortcut defined by the extension

    The extra privileges are:

    • the ability to inject JavaScript or CSS into the tab programmatically, using browser.tabs.executeScript and browser.tabs.insertCSS
    • access to the privileged parts of the tabs API for the current tab: Tab.url, Tab.title, and Tab.faviconUrl.

@Cimbali Cimbali mentioned this issue Nov 6, 2019
Closed
@bhrutledge
Copy link
Author

@Cimbali Thanks for the explanation, and for opening #63 to address it.

@Cimbali Cimbali closed this as completed Aug 5, 2020
@Cimbali
Copy link
Owner

Cimbali commented Aug 5, 2020

Just to clarify, the obsolete (and “seemingly excessive”) permissions have been removed. I’ve edited the previous post to reflect that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bhrutledge @Cimbali