Rob--W/crxviewer

Why so many permissions?

Closed this issue · 4 comments

"permissions": [
"tabs",
"storage",
"contextMenus",
"downloads",
"alarms",
"cookies",
"webRequest",
"webRequestBlocking",
"*://*/*"
]

I have like zero experience with extension development, so this might be a silly question, but I was looking through the source code of this extension and saw that a bunch of permissions were listed that seemingly don't have much to do with viewing source code files. Does anyone know if there a sensible reason for these permission requirements?

In general, permission warning messages are explained at https://support.mozilla.org/kb/permission-request-messages-firefox-extensions

I'll explain for each permission why it is requested by my extension.

"tabs",

"Access browser tabs"

This permission is used to detect when one of the supported extension stores is visited. When an extension listing is detected, the extension shows a button in the address bar that you can click to view the source of the extension.

"storage",

This does not have a permission warning message. The storage API is used to store preferences that you can set through the extension's settings page. For example whether to show the context menu or the button in the address bar.

"contextMenus",

This does not have a permission warning. The contextMenus API is used to register context menus on extension links and the context menu on the extension button (the one in the address bar).

"downloads",

"Download files and read and modify the browser’s download history"

The source of the extension can be saved in its original format or as a zip file.

"alarms",

This does not have a permission warning. The alarms API is used to schedule a timer, to work around a bug in Firefox.

"cookies",

This does not have a permission warning. Although extensions usually request this permission to manage cookies through the cookies API, my extension requests it for a different reason: the cookies permission is necessary for the extension to open the viewer in a specific container tab. When the user is triggering a "View extension source" action from a container tab, my extension opens the viewer in that container to ensure that the right cookies are used.

If you don't know what container tabs are, see https://support.mozilla.org/kb/how-use-firefox-containers

"webRequest",
"webRequestBlocking",

These do not have permission warnings. The webRequest APIs are used to work around a restriction of Firefox to ensure that the extension can read the source of Firefox add-ons. The technical details are available in the source code at https://github.com/Rob--W/crxviewer/blob/master/src/domain-fronter.js and another detailed explanation is offered in the commit message of 67dfa1d

"*://*/*"

"Access your data for all websites"

My extension can be used to view the source of any extension, and generally any zip file. Because these files can be hosted anywhere, I am asking for access to all URLs at install time.

The Chrome extension version of my extension doesn't ask for this broad permission at install time, but requests them at runtime as soon as the extension encounters any failure to read the source of an extension. For an optimal user experience I requested these permissions at install time in Firefox.

In a future version of the extension I will still request them at install time, but support the ability for the user to revoke the permission. The source of extensions cannot be viewed until the permission is granted again though.

Thanks so much for the detailed response! This is very illuminating.

It seems like Firefox could do with a more granular permission system for extensions 🤔.

It seems like Firefox could do with a more granular permission system for extensions 🤔.

Firefox does support granular permissions. It is not a browser problem. Rather, it is a UX problem. In theory I could modify the extension to work with minimal permissions and prompt for a permission whenever I encounter a URL that I cannot open. For common cases this may be sufficient (e.g. if I request all known extension store URLs and CDNs upfront). But for workflows with extensions hosted at arbitrary URLs, that would be annoying, to the point that it would be preferable for the user to approve access to all URLs.

If there is enough demand for such granular host permission requirements I may consider adding an update to do so, however.

It is not a browser problem. Rather, it is a UX problem

"Access your data for all websites" this permission makes it sound like the extension could in theory record everything I do on websites I'm visiting or make arbitrary requests as me. Would it not be possible for the browser to provide a more limited permission like "get current url on activation" or something along those lines?, or for the downloads permission. Why does it have permission to read and modify, why is there not just a permission to allow downloads? It seems like there could be a lot more done here 🤔.

You have my vote for more granular permission requirements! I always get kinda anxious installing extensions that ask for seemingly wide-ranging permissions... (which is actually how I came across this project in the first place, I wanted to inspect another extension that had wide-ranging permissions)