search

AstraLuma / use-https

Fork of the Chrome extension of the same name. Redirects sites to the HTTPS version.
Other
2 stars 1 forks source link

Authorize APIs? #8

Open AstraLuma opened 12 years ago

AstraLuma commented 12 years ago

Should we add authorization code to API calls from other extensions? Basically keep a list of user-approved extensions.

Proper UI for this would require the management permission, too.

AstraLuma commented 12 years ago

What I'm thinking is that when an extension makes a request for the first time, the user is prompted to OK it.

The management permission is asked for as an optional perm (see chrome.permissions).

We use the management API to get the necessary metadata to generate the permissions dialog. After that, we don't need it.

AstraLuma commented 12 years ago

Calling apps have several permission levels:

  1. None: The user has not set a permission level. Prompt user before performing any action.
  2. Read: The caller is allowed to make read requests without prompting. Any write requests are still prompted. No notification is made for reading.
  3. Write: The caller is allowed to make read and write calls, but user is notified of any writes.
  4. Trusted: The caller is allowed full permissions as if he were part of the extension. User is not notified of any changes or calls.
  5. Disallowed: All requests from the caller are denied. Period.

The permissions list is not accessible from the external API.

An API method should be added for extensions to explicitly request a permission level.