Updated metamask asks for additional permissions

[bobbyvinon]

After updating this morning, metamask is disabled and asks for additional permissions:

• read and change your data on all eth sites and all test sites

what is this? i want to use it only for purse management and i don't want give this permissions to metamask.

[ngtuna]

Same concern here

[simonk1234]

Same here. How do I know it can be trusted?

[juarezweiss]

Same. Could the official team please comment on this?

[bdresser]

Hi @bobbyvinon and others - those permissions are for two new features we've added in 4.9.0

The permission to "change data on .eth and .test sites" is so we can reroute you to the content hash of sites hosted on IPFS / ENS. (#4405)

The permission to show browser notifications is so we can notify you when your transactions mine. (#4840)

You can read more about what's new in this most recent version (and more on why we request these permissions) here: https://medium.com/metamask/metamask-monthly-august-8b409c3fa18

Totally fair question - next time our feature set changes the permission level we require, we should try to let you know via the UI or something. I will leave this open for a couple days so others with the same question can find it easily.

[mryellow]

The permission to "change data on .eth and .test sites"

Is that what the message was saying!!

Chrome just says "eth" without a dot, making it not very obvious that they're talking about a TLD. Had me wondering, "What the hell is an 'eth' site".

Seems Chrome might need a UX issue opened.

[JohnAllen]

Just to be clear, Chrome does not say "change data on .eth and .test sites". It says this:

[bdresser]

@JohnAllen most of those permissions aren't new - check this reddit thread from 2017.

4.9.0 adds the permission for notifications, and it should include a permission about eth & test domains as well. I think @mryellow is correct, that the permission is shown as eth rather than .eth

[JohnAllen]

For me it says read and change all data on the websites I visit. So is it all or just .eth?

[bdresser]

@JohnAllen it's all

As described in the reddit post above, the initial permissions on download look like this:

The permission to "read and change all your data on the websites you visit" is what allows us to inject an Ethereum provider and web3 object.

What the original poster is asking about are the additional permissions some users saw after their browsers auto-updated to 4.9.0. Those looked like this:

The permission to read and change data "on all eth and test sites" seems redundant after agreeing to the download permissions, and we're investigating why this was shown to users.

[dsilberschmidt]

i have this message:
MetaMask is disabled
To re-enable it, accept the new permissions:
.Read and change your data on all eth sites and all test sites
.Display notifications

                                     Remove    Accept permissions

Same concern as previous users. Is this a new permission YOU ask for?

[bdresser]

@dsilberschmidt yes, these are new permissions we're asking for in versions 4.9.0 and later.

They allow our ENS / IPFS integration (#4405) and the browser notifications we now show after tx are confirmed (#4840)