Explanation and justification for permissions requested by this extension
ArhatEves opened this issue ยท 9 comments
Hey all. I desperately need this, and it's so cool that it's on a GNU license, but it scares the crap out of me that it says it can read and change all your data on the websites you visit. Can someone please explain what that entails exactly? I'm hoping that it's not as bad as it sounds, because it sounds like a security/privacy nightmare.
@ArhatEves it is indeed unfortunate that the extension requests such scary permissions. the reason for this is that it requires a content script to be run in the background of every open tab. the main functionality this provides is the ability to detect if the user is part way through editing a form. it also does a few other things like set the page scroll position on reload and capture a screenshot before suspending if you have that feature enabled.
while this means in theory that it could read anything on the page, record keystrokes etc, you will have to trust me when I say that it does not. the extension is built from the source code of this project. if you would like to see exactly what the content script is doing, you can view the source for it here: https://github.com/deanoemcke/thegreatsuspender/blob/master/js/contentscript.js
i believe that chrome relies on the webstore review process to allow the community to determine whether an extension can be trusted. they say this exact thing here: https://support.google.com/chrome_webstore/answer/186213?hl=en
given the number of users this extension has, the open source nature of the code, and the lack of any negative reviews in this respect, i would say you can be fairly confident in trusting it.
Hey, thank you so much for the explanation and links. My mind is at ease! Much appreciated.
Can this extension be leveraged by a malicious actor to extract the user browsing information?
The most obvious thing I can think of is that it stores the users tab session history in a local indexedDb database on the users filesystem. When you clear your browsing history, it will not clear this session history, although you can remove this manaully within the extension. There is a feature request to turn off this automatic saving of session history: #587
Other than that, chrome does a pretty thorough job of making sure the code of the extension itself is never compromised. You will receive an 'extension is corrupted' message if this ever happens.
I am not a security expert however, so please don't take this as a definite answer.
Just want to add some more information here about the "Read and change your browsing history" required permissions.
The only thing this is used for is to 'tidy up' the urls in the session history to remove any suspended tab entries. They are always duplicates of the real urls and just clutter up the history if left in there.
For more information on this behaviour (and it's limitations), refer to this issue: #717
This aged nicely ๐
sigh, been searching for a safe tab suspender plugin but this is kinda sus