cuixiping
commented
1 year ago Thanks for your suggestion. I'll update in next publish.
Closed NutchapolSal closed 1 year ago
cuixiping
commented
1 year ago Thanks for your suggestion. I'll update in next publish.
Mugane
commented
1 year ago Still does not explain why real-time notifications are required. Nobody needs to be notified in real time that there is an error of any kind. I completely understand people's reluctance to trust the extension after a move like this.
Note that the only options people were given were to accept real time notifications or remove the extension. So it's not even like the permission by itself is so terrible, the issue is that users were essentially extorted into accepting a clearly unnecessary and suspicious agreement "or else" (or else remove the extension). With no warning or explanation...
Bottom line is that even now that the notifications permission has been removed, trust has been eroded - leaving questions like why are these permissions required at all? Why isn't a permission as potentially invasive as "read and change your data on all websites" an optional permission that the user can enable at run-time? The fact that the extension can read everything any time is now deeply concerning. And although I could, I don't remotely have time to review the code and every commit to figure out if it's phoning home when it shouldn't. Nobody does...
cuixiping
commented
1 year ago notifications are required to show error message to user, so user can know what happened when something wrong, it's not very necessary. Maybe use action popup to show messages is an alternative way.
"read and change your data on all websites" will appeared with almost every extensions, I don't think it's a problem. The disadvantage of optional permission is that the warning prompt will show for every different origin, it's too noisy.
I didn't see many extensions which explain every permission request.
The permissions are required for the extension functions, and details reason was post to web store for reviewing. If someone really do not trust, he can change the permissions in chrome extension settings.
NutchapolSal
commented
1 year ago Still does not explain why real-time notifications are required
i'm pretty sure that's the only way to show alerts other than not showing them at all?
PhoenixEugene
commented
1 year ago Um so... the extension just stopped working? Hopefully, it gets fixed soon.
cuixiping
commented
1 year ago Um so... the extension just stopped working? Hopefully, it gets fixed soon.
the extension works well.
cuixiping
commented
1 year ago Still does not explain why real-time notifications are required
i'm pretty sure that's the only way to show alerts other than not showing them at all?
Notification is the cleanest way to show alerts.
v1 uses content script injected into every page, and v2 uses service worker and has no script injection. I think v2 is much better.
Mugane
commented
1 year ago Re: notifications: My point is that notifications are an integral part of Windows so you are essentially assuming that whatever you are notifying the user about is as important as real-time text messages, phone calls, etc - and I know you put effort into building the extension but its priority is much lower to users than it probably seems like it should be to you. Notifications from every extension would be super extra. If you did a poll of your users, I would bet close to 100% of them would be very much against getting any kind of notification from the extension, ever. Even if there's an error. A session-based log view from the settings page would be sufficient for the few users that would care to see what might be going wrong.
Re: run-time permissions vs permanent permissions: The thing is that users would only be required to approve when they are downloading an image - a rare occurrence. So it's ok that it would ask for every domain. And, the user could add more permissions that were optional if they download a lot of images (a real edge case). As it is, the permanent permission for all sites is not an option - you either allow it or can't use the extension at all.
cuixiping
commented
1 year ago Image host is usually different from page host, and images on one page or one site can have some different cdn hosts, that means user may be ask two or more times on one site.
Users can override the host permissions by settings if he cares.
Extension Details -> Site access -> Allow this extension to read and change all your data on websites you visit: [ ..... ]
In the Chrome Web Store reviews, people are rating the extension 1 star after getting asked to allow the extension to send notifications.
From what I can see in 342138d, It's only for reporting errors. This information should be put somewhere people will see, like the extension's description so people will stop going crazy.
I think it will also be helpful to remind people where they can view the source code for the extension