search

brandon1024 / find

A find-in-page extension for Chrome and Firefox that supports regular expressions.
https://chrome.google.com/webstore/detail/find%2B-regex-find-in-page/fddffkdncgkkdjobemgbpojjeffmmofb
GNU General Public License v3.0
409 stars 53 forks source link

Reduce required permissions #338

Closed fm-sys closed 3 years ago

fm-sys commented 3 years ago

Issue Description

The add-on requires the permission "Access your data for all websites" which AFAIK also allows reading stored passwords while other extensions show, that it's possible to do the same thing without any permissions.

See https://addons.mozilla.org/de/firefox/addon/multiple-highlight/ as an example...

luisvalenzuelar commented 3 years ago

Absolutely. This is totally insane and intrusive. Regex Search does not need such insane permissions. BEWARE.

brandon1024 commented 3 years ago

@raspatan Hold on, woah. No need to be so aggressive. Please, let's be respectful.

Chrome has some alarmist messaging around the permissions that the extension needs. Really all it's asking for is that javascript be loaded into every page. Don't be alarmed. This extension never talks to any servers and does absolutely nothing with your data. You're welcome to read through the source code.

Here are all the persmissions the extension needs, and explanations with each:

"tabs",

Pretty much every extension ever needs this one. This allows the extension to interact with tabs you have open.

"activeTab",

Same thing here. This is used to query for the tab that is currently active.

"background",

A background script is needed to act as a mediator between the UI (popup) and content scripts running in the page. This background script is only activated when you actually start up the extension popup. The background script also does a bit work, specifically around building an occurrence map from text in the page against a regular expression. This is created to help speedup the extension, for quicker lookup. Read through the source here.

"storage",

Some features require local storage, like settings and history features. You can find the relevant source here.

"clipboardWrite",

Find+ has a feature that can copy one (or all) occurrences of a regex to the clipboard. To do that, the extension needs this permission.

"contextMenus",

This allows the extension to create a "Show Help" context menu when you right click on the popup icon, so that you can go right to the find+ documentation.

""

This allows the extension to work on all pages. Otherwise, it would be an opt in model, where I'd have to define a huge list of URLs where this extension would work.

@fm-sys Does this help explain your issue?

fm-sys commented 3 years ago

@fm-sys Does this help explain your issue?

Thank you for the clarification.

But question was rather the other way around. There are probably alternative approaches that have the same result but don't need additional permissions and which could be used as well. Nevertheless, I trust open source projects and if missing permissions would lead to limited functionality, it is definitely not worth it.

Good luck with further development ;-)

brandon1024 commented 3 years ago

@fm-sys yeah, my hands are pretty tied here. I could remove some permissions, but that would mean taking away features. I'd get crucified by the community if I did that..

Do you mind if I close this ticket?

fm-sys commented 3 years ago

Do you mind if I close this ticket?

Fine for me 😉