Requires permission to "manage your downloads"

[ndmitchell]

I saw that Tabli requires permission to manage my downloads. Why? The others all seem quite reasonable but I can't immediately see what that is necessary for. Perhaps put on the website a justification of each permission required, so people can feel slightly more informed when accepting it.

[antonycourtney]

My sincere apologies for this troubling dialog and the entirely justifiable concern it raises.

This dialog box is from Chrome and is unbelievably painful in numerous ways.

First: Here is the actual diff in the permissions requested by Tabli between version 0.8.8 (that all users were running until yesterday) and yesterday's update:

That is: In spite of the terrifying dialog and Chrome's default behavior of disabling the extension, the only change in permissions was the permission for Tabli to read Chrome's FavIcon cache (!).

As for the "Manage your Downloads" permission: It is not currently used in production at all.

That permission is needed in exactly one place in the code right now - a dev-only facility for exporting a snapshot of window state for use when debugging or creating integration and unit tests.

So why is the permission there if it's not needed in production? Because I can imagine some day exposing this ability for a user to generate a dump of their window state that they would send to me if they encounter an arcane bug. When and if I some day add that feature, I wanted to avoid having to put all users through the above poorly-designed and misleading permissions dialog.

I hope the above explanation makes sense, even if the answer is a bit disappointing (at least to me). Thank you for the suggestion to make Tabli permissions clearer and more explicit on the Tabli web site; I agree that would be helpful.

[ndmitchell]

Generally any app which says which permissions it uses and why it uses them is enough to convince most people.

[pendashteh]

Thank you @antonycourtney for all the effort putting into this.

I should say, I didn't find your argument for getting permissions strong enough. Just because you know you are not doing with a permission, it doesn't mean users would also know. And if you put yourself in the users' shoes, the only way for the them to know is to read the entire code base.
Also, "asking for permission ahead of time to avoid future hassle" is also a very weak argument and without judging you a dangerous way of thinking. When a permission is requested there need to be a strong case for it.

These are not codes of conduct. Users are becoming more and more aware and the ecosystem is adopting to this. For example, as you can see, when there is a new change in permissions list, Chrome reminds the user of all the permission (including those already granted). And that is not at all a "poorly-designed and misleading permissions dialog" as you described it.

To conclude, for those who are doing the right thing, like yourself, it's important to follow guildines and specially 'best practices' and have a rigid internal policy, so that over time we can filter bad actors out of the ecosystem.

[antonycourtney]

Hi @pendashteh,

Thanks for sharing your perspective.

For what it's worth, I did the right thing and removed the unused "Downloads" permission in January of 2017.

It gives me no pleasure to report that my reluctance in removing that permission played out exactly the way I feared it would: Because removing the "Downloads" permission resulted in forcing all users to re-permission the extension through the above permissions dialog, with absolutely no indication to the user that the update to Tabli was in fact using less permissions than before the update, the result was a massive number of uninstalls of the Tabli extension -- the single biggest one day drop in users in the five year history of the extension.

My criticism of the Chrome permissions dialog design is that it is simultaneously too technical for novice users and not technical enough for advanced users. Specifically:

• The dialog reports that an extension is requesting "additional permissions" even when (in the case of removing the Downloads permission) the extension is actually changing to use less permissions,
• In many cases the permissions listed in the dialog are unrelated to the actual change in permissions in the manifest. You can clearly see this in the screenshot that lead to opening this issue, where the only change in permissions was the addition of access to the FavIcon cache.
• The dialog gives no indication of what has changed (what new permissions are being requested).
• In many cases, the permissions are too coarse-grained. In the case of the "Downloads" permission, all I wanted was the ability to allow the extension to write a log file for debugging purposes; I didn't need or want the ability to access any of the users other Downloads.
• There is no opportunity for the extension author to offer any explanation of what changes to the extension necessitate the change in permissions.

Rest assured that the essential rule is Tabli's privacy policy: "Tabli does not make any outbound data connections and does not send any data whatsoever to any external application, extension or cloud service." I hold Tabli to the highest standard in terms of using minimal permissions and respecting user privacy, but issues with the permissions dialog cited above are, in my view, more of a hindrance than a help in this endeavor.

[antonycourtney]

This permission removed from Tabli ages ago. Closing issue.