Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Permission Explanation #34

Closed
FlorianWendelborn opened this issue Aug 12, 2016 · 5 comments
Closed

Add Permission Explanation #34

FlorianWendelborn opened this issue Aug 12, 2016 · 5 comments

Comments

@FlorianWendelborn
Copy link

It'd be really nice to know why this plugin needs the permissions it requests, especially why it needs to view my browser history.

I can't think of any reason why it would need the history, so at this point this makes the plugin quite untrustworthy TBH.

@Justineo
Copy link
Owner

Justineo commented Aug 13, 2016

The extension currently relies on Chrome Extension's webNavigation API to dynamically inject content script into the webpage because users can set site URL for GitHub Enterprise so the injection has to be dynamic. For each time you visit a URL, the extension will try to match the URL against the options and decide whether to inject content scripts, see here.

The use of webNavigation leads to the warning message you see, according to this issue.

@Justineo
Copy link
Owner

I just added this into FAQ. Thanks for reporting your concerns. I'll try to find a better solution for this.

@Justineo
Copy link
Owner

I checked the way Octotree handles this problem. It tries to inject content scripts into every webpage and if it got an error (because of no permission granted for most sites) it stops. Octotree won't know the exact URL you are visiting but if no error occurs it knows that the site's permission is already granted. GitHub Hovercard tries to make sure the site you are visiting is already in the granted list before it injects content scripts by using the webNavigation module. It won't exploit the actuall URL either. Actually I prefer GitHub Hovercard's current logic because it seems to be cleaner, though it may cause some concerns for privacy.

@FlorianWendelborn
Copy link
Author

@Justineo sounds like a huge oversight from Chromium IMHO. They should've implemented a method to check if you have permission on the current site.

@fregante
Copy link

fregante commented Aug 7, 2019

You can now remove that permission by using 2 modules I wrote recently:

https://github.com/fregante/webext-domain-permission-toggle
https://github.com/fregante/webext-dynamic-content-scripts

You'd just need these and some adjustments to manifest.json

npm i webext-domain-permission-toggle webext-dynamic-content-scripts
// in background.js
import 'webext-dynamic-content-scripts';
import addDomainPermissionToggle from 'webext-domain-permission-toggle';

addDomainPermissionToggle();

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants