search

Rob--W / open-in-browser

A browser extension that offers the ability to open files directly in the browser instead of downloading them.
Other
83 stars 15 forks source link

Requires excessive permissions #62

Open am11 opened 4 years ago

am11 commented 4 years ago

none of the required permissions seem relevant to functionality this extension provides:

image

Sxderp commented 4 years ago

I can probably help with this. But Rob could go more in depth.

  1. Required to intercept headers and figure out if the extension should open the dialog
  2. History is required because the extension is actually private-browsing aware. A lot of developers don't take this into consideration. But when in private browsing the extension deletes its own window url from history.
  3. Pretty much the same as above.
  4. Tabs permission is required to remove the tab after the dialog box appears. To create similar behavior to the native box.
  5. This one seems silly to me and I feel like should be brought up in a bugzilla feature request to extend the webRequest api. Anyway, it technically doesn't really grant any more permission than what 1. already gives. But it's used for determining if the user aborts navigation.
Rob--W commented 4 years ago

Thanks @Sxderp for providing an answer. Most of what you said is correct, but in some cases (2, 3, 4) there are slight differences.

  1. "Access your data for all websites" (<all_urls>) - This is needed to see network requests and their headers, in order to show the dialog when needed.
  2. "Access browsing history" (history) - This is to prevent the dialog's moz-extension://-URL from appearing in the history. The URL is not meaningful to users, and removing it from history prevents it from appearing in the location bar's autocompletion results.
  3. "Access recently closed tabs" (sessions) - This is to prevent the dialog from re-appearing when the user re-opens the most recently closed window - see #43
  4. "Access browser tabs" (tabs) - needed to see the current URL of a tab/dialog. Not used in the current implementation, but kept because it could be necessary again in the future for the extension to work. This permission is similar to the next permission (webNavigation).
  5. "Access browsing activity during navigation" (webNavigation) - Used to detect whether the request has been aborted, in order to detect whether the dialog should be closed.