Limit extension's access to certain URLs

[12people]

I'm always generally uneasy about letting an extension "access my data for all websites". Would you please consider limiting the extension's access to just data from Youtube, Twitter, Instagram, and Google Maps URLs?

[SimonBrazell]

Unfortunately that permission is required to enable embedded video redirects as they can originate from any site, not just the target domains. I don't know of any other way around this, see #6 for the original discussion that prompted the change.

[SimonBrazell]

@12people hope that explanation covers it.

As the broad permissions are really only used by the Invidious redirects (embeds) I think another approach would be to extract the logic for it out and deploy the other redirects as seperate extensions with lesser permissions?

Closing this for now as I don't see any other way of addressing this issue.

[ghost]

It should be possible to only request <all_urls> as an optional permission that the user can grant post-installation.

The issue then might just be figuring out when's a good time to prompt the user to make the choice. Ideally it might be the first time they navigate to a page with an embedded video, but of course without the permission you won't know when that is!

[SimonBrazell]

Hi @prcmt true, given it's only needed for embeds perhaps I could display a window on install asking the user if they would like to opt-in for embedded redirects, which would then display the optional permission. I thought about this previously but was discouraged when I read somewhere that this shouldn't be used if the permission is required for the extension to operate, but on second thought the extension would still be useful even without the all_urls permission if it still worked on targeted domains.

[ghost]

I see that https://github.com/SimonBrazell/nitter-redirect is already spun off as its own. Would it be possible to make more individual extensions for Invidious, Bibliogram, or OSM?

[SimonBrazell]

Nitter redirect was the first actually, this is the spin off 😁 but yes certainly possible, although I think if I implement optional permissions for the embed redirects and then list all the other domains needed individually then it shouldn't be needed right?

[ghost]

I admit, I'm no add-on dev. I don't know much javascript either. Was just putting out a thought. Definitely leaving the decision to the experts. :P

I suppose I'm curious how that works. On the store page would it still say that it's requesting access to all websites but then you have the choice to restrict it?

[SimonBrazell]

On the store page it would say that it needs access to only specific domains, like Nitter Redirect does, and then when installed it will prompt for further access to all URLs, which could be denied, meaning that embed redirects wouldn't work but links would.

[ayushnix]

Hey @SimonBrazell, I'm using your Nitter Redirect addon but I recently came to know about this addon. Unfortunately, it looks like that this addon needs the <all_urls> permission to fix #6.

Can you restrict <all_urls> to an optional permission and use a list of needed websites by default? You can show a warning in the addon dashboard and details page in Firefox that if someone wants to fix embedded videos, they can enable the optional <all_urls> permission.

I'd be happy to switch to this addon instead of Nitter Redirect if this is implemented. Thanks.