libredirect asking for more permissions

[bheeshmpita]

The web browser auto disabled the extension because the extension was updated and requires extra permissions to function,
How to check these permissions are safe to accept?

[1muen]

Hi @bheeshmpita I only got the message that the new extension requires the bookmarks permission (Firefox):

Its because of this commit: b91ae8e

After I accepted the new permissions I didnt see any options if I right click on a bookmark:

But as far as I understood the commit, there should be. Maybe I should restart Firefox.

You can always build the code yourself, if you dont trust the addon on the addon store enough: https://github.com/libredirect/libredirect#development

[io43]

Please can you make the new bookmark permission of version 2.5.3 to be requested only if we want to use that feature i think it is somehow be possible no? thanks

[1muen]

Yes, I think that would be possible:
Request permissions at runtime:
https://extensionworkshop.com/documentation/develop/request-the-right-permissions/#request-permissions-at-runtime

Should work on all chromium and Firefox Desktop browsers, other clients (mobile, safari) doesnt support the bookmark permission at all:
https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/optional_permissions#browser_compatibility
https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#browser_compatibility

[deathtrip]

Does anyone know why does it need this bookmark permission?

[ManeraKai]

To have a context menu just like when you right click a link: #568

[ManeraKai]

[deathtrip]

Not everybody likes extensions adding new context menu entries. So i think there should be an option to disable it, and then this permission wouldn't be needed.

[IkelAtomig]

Will be focused on next release.

[TheFrenchGhosty]

@ManeraKai @IkelAtomig No, just no. I don't want an addon that is supposed to just redirects URL to have the permission to READ and MODIFY my bookmarks.
I really don't get why you keep adding permissions that shouldn't exist (like "Input data to the clipboard") for an addon that SOLELY exist to rewrite some URLs/redirect users.

The security implication of that is MASSIVE, you effectively have COMPLETE access to the bookmarks of ALL users.

This is like the 5th time that the people behind Libredirect proves themselves to be HIGHLY unprofessional and borderline SHADY while ignoring EVERY single BASIC security practices.

[IkelAtomig]

https://fosstodon.org/@libredirect/109976625888898306 - This is the reason to do so.

The extension is Open source. We don't delete or add or alter the bookmarks. You could check the code yourself.

It's only for the sake of redirecting bookmark links as the users wish. This isn't something we did intentionally. Rather fulfilling the request of a fellow user here : #568.

It's my mistake that I didn't write about it in Release notes. Which was somehow missed out from my eyes.

Apart from that we are trying to explain in the best way when users are asking questions.

[ManeraKai]

@ManeraKai @IkelAtomig No, just no. I don't want an addon that is supposed to just redirects URL to have the permission to READ and MODIFY my bookmarks.

and borderline SHADY

This is the part of the code where it does so, it's just doing it's job nothing else.
https://github.com/libredirect/libredirect/blob/594b8e571fb65c38102626e84f7015c8e28940e8/src/pages/background/background.js#L143-L161
https://github.com/libredirect/libredirect/blob/594b8e571fb65c38102626e84f7015c8e28940e8/src/pages/background/background.js#L240-L266
You can see the commits. Here's the change log between the two releases.
v2.5.3...v2.5.4#diff-a68229f23586e2fb9354f62fea2613ff16d337ab20490663b3bd6031d9b19973R140-R161
It was bc I didn't know that firefox has the namespace "window.chrome", I thought it only had "window.browser".

I really don't get why you keep adding permissions that shouldn't exist (like "Input data to the clipboard") for an addon that SOLELY exist to rewrite some URLs/redirect users.

The security implication of that is MASSIVE, you effectively have COMPLETE access to the bookmarks of ALL users.

while ignoring EVERY single BASIC security practices.

We're trying to just use the permissions that are needed for a feature, for example with clipboard, we just used the clipboardWrite so we can just write some input nothing more.
Also, there are a ton of other users who want such features and others who don't. If we remove some features, many users will say that This version feels like a downgrade and start using older versions of LibRedirect just to have those features, even if they were buggy. And if we add some features, other users will say that it's "Compromising security". It's ok both arguments are valid, but we here at LibRedirect need to balance out between both as much as possible.

This is like the iv-org/documentation#229 (comment) that the people behind Libredirect proves themselves to be HIGHLY unprofessional

We never said we are. Me and @IkelAtomig are just normal people who work in their free time on LibRedirect. We are not a "Commercial Company" or something.

[bheeshmpita]

@ManeraKai Thanks for the clarification and your work. As a normal user who doesn't have much understanding how the code works it makes sense to give the bare minimum permissions to the service for its functioning, so that's the reasoning the issue was opened.
Unrelated to this, guide me how to achieve this: say i just want to redirect links of reddit and twitter and require no other feature, how should i customize libreddit or any other service so it accomplishes the task without any extra features or permissions. And the service should be able to read my history related to these domains only instead of entire browsing history. As i mentioned earlier, I do not know how code works so I may be wrong.
All the comments I made, were to get the clarity of the topic so please dont consider them as accusations.

[samtygier]

The extension is Open source. We don't delete or add or alter the bookmarks. You could check the code yourself.

There is more to the argument than that. There are also numerous ways a malicious 3rd party might try to sneak some malware into this extension or its entry on the addons site. A minimal permission list is a strong assurance that the damage that could be done in this case is limited.

[IkelAtomig]

@samtygier A balance between User convenience and Security is sort of hard to balance. If you want to strict security. You need to lose convenience by not having certain features and vice versa.

@bheeshmpita At a bare minimum, You need to enable Twitter and reddit redirection. If you want, no other features. You need to either modify code yourself or the best bet for you is Redirector extension.

[bheeshmpita]

thanks @IkelAtomig for the help.

[pm4rcin]

Excuse me but is it possible to make this feature optional or browsers are not that flexible?

[bheeshmpita]

@IkelAtomig tried to setup the extension, but failed. If you can help https://github.com/einaregilsson/Redirector/issues/343#issue-1618404359

[ManeraKai]

Excuse me but is it possible to make this feature optional or browsers are not that flexible?

@pm4rcin The feature isn't in the manifest.json but rather executed at runtime, so it's not hardcoded, meaning that it can be flexible. I'll try to figure it out.

[IkelAtomig]

@bheeshmpita - I never used Redirector for the full potential or only of little use.

If you need Regex Pattern for redirection. You could copy them from the source code or mail me. (Look for address in Profile)

[io43]

thanks for trying to figure out how to ask for it when we want to enable that feature, i saw an blog post today and it remembered me that once extensions get popular devs get multiple offers per year to sell their extensions to shady people who just want to siphon data and to do all kind of malicious activities, so for now it is safe but what if at one point the dev is offered few thousands to sell out and all bookmarks get siphoned (i do not mind the Access your data for all websites permission because i use the extension in a separate profile where i don't log in to sites so the only personal data in that profile is the bookmarks), it happen to many extensions

[IkelAtomig]

This is a Community based project actually. But only 2 people maintaining as far as we can. Development might be stale. But we are sure, we won't sell.