Closed rcmero closed 6 years ago
Permissions alone don't mean much. Even that article says so. And it's perfectly possible to write a permissionless extension that will easily trick users into installing malware or leaking their sensitive data.
Permissions for accessing data on all sites
doesn't mean your private data is accessed. As you can see in, say, uBlock's wiki, those are necessary to simply be able to modify the page - for Tampermonkey it's to run your userscripts. The scripts can't run in an abstract space, they need to be injected into the web page and the only way to do it always produces an installation permission dialog like that.
Same for reading your browsing history
- it's just the only way to know when to run your userscripts because there's no cross-browser API to register userscripts and be done about it. Firefox will add it in the future, though. Currently Tampermonkey needs to install a hook that's invoked on any navigation and then it runs applicable userscripts for this URL.
reading your browsing history
Tampermonkey does not require this the history
permission. So it can not access your browsing history after being enabled again. 😅
[edit 2019-07-31]
But it requires the tabs
permission. Unfortunately Chrome labels the tabs
permission with "Read your browsing history" while "Access your browsing activity" would be a better wording. Please also see this stackoverflow entry and the Chrome documentation page for more information.
[/edit] You don't have to be worried. I created Tampermonkey first of all for me. My friends and colleagues are using it. That's why it's unlikely that I'll add something immoral. Furthermore I'm located in Germany where GDPR applies (not sure if you heard of it). GDPR is one of the most strict privacy protection laws.
accessing data on all sites
As @tophf explained Tampermonkey uses this permission to determine if a script needs to be executed and to inject scripts into the pages. No browsing data is send to me or anywhere else.
Tampermonkey sends some general anonymous statistics, which are very important to me, because it allows me to see internal errors even before someone reports them or some symptoms and to get some basic knowledge about the users (browser versions, screen resolution, language, ...). All data is aggregated, it's not possible to track individuals. If not wanted, then this feature can simply be disabled at the settings page. Please check Tampermonkey's privacy policy. It explains how to disable all data collection.
Finally: trust, but verify! You can investigate all network requests by your own. 🤓
Tampermonkey DOES require this the history
permission.
This is due to the "tabs" permission -> https://developers.chrome.com/extensions/permission_warnings#permissions_with_warnings I've updated https://github.com/Tampermonkey/tampermonkey/issues/574#issuecomment-402260725 to reflect this.
Note: I've commented on a Chrome issue report that wants to change the permission description: https://bugs.chromium.org/p/chromium/issues/detail?id=429185#c53
so i have a friend that made hacks for a game. and i saw someone alse copied from him. he(my friend) was hiding the code so the person who copied from him now can't change the code to his name. but he still copied from him but the name of my friend is still on the hacks. can my friend do something about it? block the person from using the code or something. can my friend report him?
So recently it has come to light that Stylish has been recording every user's browsing histories and possibly using them for malicious means.
https://www.howtogeek.com/fyi/browser-extension-stylish-knows-what-porn-you-watch-and-all-of-your-web-history/
It's not really that big of a deal for me, since I don't really use Stylish anymore, and the only reason I did was rendered null with WebExtensions.
I do, however, use Tampermonkey actively, and for Tampermonkey to work it needs the same permissions Stylish does. I am here asking you if I should be worried about that.