Extension asks for permission to access and edit every single webpage

[ClementNerma]

Hi there!

I've been interested in trying out your extension, but I've come across a little problem. When adding the extension on the Firefox Addons website, I get the following popup:

This could translate in english by "access all your data for every single website". Which means it can view everything I do, read everything I type, and so on.

So I'd like to know why the extension requires these permissions, especially since on the very same page it says it doesn't need any permission?

Thanks :)

[XengShi]

Hi there!

Thanks for your message.

I’m not sure why you’re seeing that issue. It might be a problem with Firefox or something in my code. The extension code is the same for all browsers (like Chrome and Edge), but the manifest file is different for Firefox.

If you’re worried about those permissions, I completely understand.

For now, you could try using the extension on another browser, like Chrome or Edge.

Thanks for understanding!

[ClementNerma]

So this is not something you're aware of. I'll try to look into it when I have time, I think this may have to do with activeTab granting the extension full access to the current tab when some conditions are met (e.g. registered keyboard shortcut is pressed, or extension's icon is clicked).

EDIT: By the way, why does the extension require activeTab?

[itsmartashub]

Hi there.

Well, I totally understand your concerns about the browser warning. I was also sceptical about those browser permissions, before I started developing browser extensions on my onw. Then I've learned that many basic functionalities of extensions necessitate specific permissions, which can understandably trigger concerns and anx for users. Like the comment here said: "It seems that both users and devs share a discomfort when it comes to browser permissions."

It seems that the message you're seeing is a default warning that Firefox displays for extensions that use certain features, such as overriding the new tab page. Firefox interprets this Accessing all websites because, technically, the extension modifies the behavior of a built-in browser feature (the new tab). However, in reality, the extension only changes the new tab page and does not track or interact with other pages you visit.

Tho, @XengShi, it might be worth considering modifying the "matches": "<all_urls>" in the content_scripts section of manifest.json to "matches": ["*://newtab/"] to further restrict permissions...? Tho, this manifest in source code is for chromium based browsers, not for Firefox, so I can't tell for sure about Firefox :(

After reviewing the source code, I can confirm that there’s nothing suspicios. At least for now, lol. But please don’t take this as an indication that something shady will happen! Just, it’s essential to remain vigilant when using any extension, I'm talking about my own too, ofc. We see many times that some extensions may start out legitimate, but as they grow in popularity, they can unfortunately become vehicles for malicious updates even after the years of legit developing. That's why it's crucial to review permissions and keep an eye on updates over time.

Here’s a breakdown of why the extension requests these permissions:

1. New tab page override: The extension replaces your default new tab page with a custom one that displays a clock, weather widget, search bar, etc.

2. Local storage: The extension uses this permission to save your settings (like the weather API key, theme preferences, and selected search engine) on your device. This way, you don’t have to re-enter your preferences every time you open a new tab.

   [!NOTE] @XengShi For improved security, maybe the usage of the localStorage for sensitive information like API keys should be avoid? Instead, using chrome.storage.local could be better for security if synchronization across devices isn’t needed, or chrome.storage.sync if it is required. This approach helps ensure that sensitive data is less exposed to potential vulnerabilities associated with localStorage

3. Weather and location: The extension fetches weather data for your location based on your IP address using a public service like ipapi.co. This data is solely used to display the current weather on your new tab page and does not track your browsing.

[ClementNerma]

Thanks for your detailed response :)

Just to be clear, I was not implying that the required permission was something shady, I was just curious why it was there and if the extension's author was aware of it.

I've also read this extension's source code to ensure there was nothing weird here (even though the packaged extension can be different from the source code, but that's another thing).

I still think that it's important for extensions to have the least possible amount of permissions to prevent something shady from happening in the future ; not necessarily from the extension's author, but it someone malicious publishes a corrupted version of the extension, if it's sold to someone else, etc.

[itsmartashub]

Well, pardon my french 🥲

I guess I should have checked your profile first, then I would have realised the real background of this issue, and that you were already familiar with it. But you probably wanted to check whether the extension's maintainer was aware too and whether some permissions were truly necessary for the extension to function properly.

even though the packaged extension can be different from the source code, but that's another thing

100%, and packed extensions, built apps attached in GitHub releases, etc., could talk about these things all day, but like you already said, thats another topic

I still think that it's important for extensions to have the least possible amount of permissions to prevent something shady from happening in the future

I couldn’t agree more with this approach, whether it's about an extension or any other type of app. The fewer permissions are granted, the lower the risk of misuse if it ever gets compromised. Also, less anx attacks for users triggered by warning pop-ups about permissions that might not even be needed for the current extension/app state

[ClementNerma]

Sorry if I didn't explain myself correctly first 😅

Yes I was wondering if 1) the extension's author was aware of that permission requirement and 2) why it was there.