What's up with the new permissions?

[Skellingtor]

I don't see why this extension would require access to manage my apps, extensions, and themes, so is there a good reason why this change was implemented or should I uninstall Blue Blocker right now?

[mrtolkien]

Same here, this popped up today and I promptly uninstalled the extension.

Is there any reason for it to need those permissions?

[wolrah]

Was just coming here for the same reason. Looking through recent commits it looks like this might have been related to the soupcan integration, but it's hard to tell because all the TypeScript related changes are bundled together in one huge commit of doom so a "git blame" on the manifest line isn't really helpful.

[alexander-paterson]

This is what Firefox says that permission is for. Not sure why the extension would need those to block users on Twitter.

[SilverAndro]

Managed to track it down, this seems to be the only usage https://github.com/kheina-com/Blue-Blocker/blob/8dd998a3a1d38724e4bfd80c390adbbfc530accb/src/popup/index.ts#L61-L68 (you can search for management as thats the api object)

Personally id prefer this was reverted, youre requesting a pretty wide reaching permission for something that could be achieved either through other means of communication, or by just sharing code between yall

[josephclaytonhansen]

Same, I'll be keeping this disabled until these permissions are reverted

[mdamaged]

Yeah, keeping this disabled until it's reverted, there's no good reason for these extensive permissions.

[wolrah]

Managed to track it down, this seems to be the only usage

Good find, so it was in fact the soupcan integration and it looks like this permission is literally only used to detect if the extension is installed.

I agree that this should be reverted and I will not be updating the extension as long as it requires this permission.

Soupcan integration is a good idea, but if checking to see that it exists really requires this huge of a permission then I think the right answer would be to either have a checkbox to manually enable the integration or to just try anyways and figure out a way to gracefully fail if it's not present.

TBH the extension system should probably allow for more granular permissions here as well so one extension can be allowed to check for the existence of others without being permitted to have control over all my extensions, but this is what exists in browsers right now so it is what it is.

[SilverAndro]

It does actually have error handling for if soupcan isnt installed/is unloaded already so just having the option always show with a usage note should work, since the actual communication uses runtime.sendMessage (which fails if someone else hasnt setup a listener/handler for that channel) https://github.com/kheina-com/Blue-Blocker/blob/8dd998a3a1d38724e4bfd80c390adbbfc530accb/src/shared.ts#L504-L557

[kheina]

hey everyone, management is indeed just for accessing the management api in the popup menu. also in this version was "unlimitedStorage" which is used for the legacy verified users database.

I'll look into another way of checking if other extensions are installed for integrations, I didn't think this would cause that much of an issue.

[msampson3d]

hey everyone, management is indeed just for accessing the management api in the popup menu. also in this version was "unlimitedStorage" which is used for the legacy verified users database.

I'll look into another way of checking if other extensions are installed for integrations, I didn't think this would cause that much of an issue.

I'm pretty sure there isn't a real concern with the current usage of the permission, but more a general concern for user security, where hypothetically if there was some future state where operation was taken over by less trusted individuals, it would be easier for more nefarious code to be introduced without the userbase being made aware.

[kheina]

I believe Firefox has a way to deny permissions for new extension versions which will then keep the old version, which will continue to work just fine in the mean time.

I'm pretty sure there isn't a real concern with the current usage of the permission, but more a general concern for user security, where hypothetically if there was some future state where operation was taken over by less trusted individuals, it would be easier for more nefarious code to be introduced without the userbase being made aware.

yeah, it's nice having an easy way to check if something else is installed but I'll just fire a test message or something which should also work

[wolrah]

I'm pretty sure there isn't a real concern with the current usage of the permission, but more a general concern for user security, where hypothetically if there was some future state where operation was taken over by less trusted individuals, it would be easier for more nefarious code to be introduced without the userbase being made aware.

Exactly that. The current usage of the management API is perfectly reasonable, but the permission required for that API to be used is so wide ranging that granting it is not something to be taken lightly. To have an extension unexpectedly start asking for substantial permissions increases as part of an update is obviously alarming, especially when that request doesn't come with an obvious callout in an easily located changelog saying "hey this version requires new permissions for $reason".

edit: added quote for clarity since other posts came in before i finished

[kheina]

what's funny is that chrome actually does have that call-out. I don't know if it's used or checked by a real person but you have to put a reason for all permissions, and they're listed on the store page

[msampson3d]

you have to put a reason for all permissions, and they're listed on the store page

Is it? https://chrome.google.com/webstore/detail/blue-blocker/jgpjphkbfjhlbajmmcoknjjppoamhpmm

I could swear that was true, but I don't see it anywhere. Maybe its only seen when initially installing the addon? Or I'm blind. :)

[wolrah]

I also have a vague recollection of that being a thing at one point, but I can't find anywhere it's exposed to the user at this time. Neither the dialog prompting for the increased permissions nor the store page seem to display it.

[kheina]

pushing the new version with the management requirement removed to stores now. thanks for the concerns yall. as an added bonus, I added the option to block promoted tweets, too. look out for that

[kheina]

the latest release is available here for anyone who installs directly. firefox is already available in the store, and you should be able to update it manually from your addons page. chrome usually takes longer. I'll update this thread when I notice it has been published

[match-gabeflores]

I worry a decent % of people (5-10%?) uninstalled this very useful extension because of these changes. and aren't checking on Github regarding this fix.

[kheina]

I worry a decent % of people (5-10%?) uninstalled this very useful extension because of these changes. and aren't checking on Github regarding this fix.

I'll know in the next few days, maybe I'll update the thread with user stats after they update

[kheina]

remembered you can disable and delete versions on firefox, so I did that, hopefully no one else gets pushed 0.3.0. so such feature exists on chrome so I just have to hope no one deletes, or at least looks at reviews and waits for 0.3.1

[sekoku]

pushing the new version with the management requirement to stores now. thanks for the concerns yall. as an added bonus, I added the option to block promoted tweets, too. look out for that

Would it be possible to add the ability to block based on follower list? Store Scams is making a list of the drop-shipping scam stores to block, but the block list is 2,000 (and growing!) followers and even if you use the Twitter main site and click through->block that gets tedious to do manually AND the following list gets broken after a certain amount.

If it is possible to import a .csv or something like the old blocklists, all they would have to do is open up their data-set and allow you to import the blocklist .csv for the extension to do the work for you and the broken follower list wouldn't be a problem then.

[kheina]

pushing the new version with the management requirement to stores now. thanks for the concerns yall. as an added bonus, I added the option to block promoted tweets, too. look out for that

Would it be possible to add the ability to block based on follower list? Store Scams is making a list of the drop-shipping scam stores to block, but the block list is 2,000 (and growing!) followers and even if you use the Twitter main site and click through->block that gets tedious to do manually AND the following list gets broken after a certain amount.

If it is possible to import a .csv or something like the old blocklists, all they would have to do is open up their data-set and allow you to import the blocklist .csv for the extension to do the work for you and the broken follower list wouldn't be a problem then.

please make a standalone issue to request new features. in short, maybe, depending on the contents of the csv

[kheina]

chrome is taking their SWEET time.

[Skellingtor]

Before you close the issue I just want to say thank you for addressing it and taking action so quickly, I really appreciate it!

[kheina]

Before you close the issue I just want to say thank you for addressing it and taking action so quickly, I really appreciate it!

thanks, I'm just trying to do something good, and it's fun knowing how much elon hates it. I do feel pretty dumb for adding something that's probably gonna drive a bunch of people away, though....

final update before I go to bed: chrome still hasn't approved. probably taking longer because the manifest changed, even if it's removing a permission. it should be out by morning, I think

[kheina]

[jasonsegal]

not sure if this the best place to comment this but yesterday I blindly gave these permissions, today I woke up to an email saying there was a new login to my account and my twitter password was changed.

my email wasn't updated so I changed the password back and uninstalled blue blocker

[kheina]

not sure if this the best place to comment this but yesterday I blindly gave these permissions, today I woke up to an email saying there was a new login to my account and my twitter password was changed.

my email wasn't updated so I changed the password back and uninstalled blue blocker

blue blocker doesn't access, store, use, or even see your password. I highly recommend you to change your password to something unique, hasn't been used previously on any other website, and to store it using a password manager or your browser's password storage feature.

[Anyasia]

Just in case anyone else is still coming here, I figured I should point out that Chrome will continue to give the error and prompt for the app permissions even after the extension has been updated to no longer require them. If you're wary about granting the permissions (even though I præsume they'd be immediately overwritten by the newer update), you can remove the extension and reädd it from the Chrome store instead. :)

Thanks to the devs for your amazing work and for addressing these concerns so promptly!

[kheina]

I worry a decent % of people (5-10%?) uninstalled this very useful extension because of these changes. and aren't checking on Github regarding this fix.

I'll know in the next few days, maybe I'll update the thread with user stats after they update

as promised, here are some graphs showing the impact of the manifest change and the recovery since

Firefox: note that firefox measures users by daily active use and doesn't track active installations. if a user has the extension installed, but doesn't go to twitter.com, they won't be counted in this graph. so naturally, there will be some peaks and valleys.

the more interesting ones, Chrome: note that chrome measures users by weekly active users, so the graph will naturally be much smoother and resistant to sharp peaks and valleys.

chrome doesn't have a combined chart for installs and uninstalls so I shoddily combined the two in photoshop: in case you're curious what this graph looks like with both lines adjusted to use the same scale

so, in short, it seems like there was a significant number of uninstalls on june 27, which was to be expected, but not nearly as significant as I thought it would be. 769 uninstalls on that day, but also 351 installs, probably from people reinstalling it after seeing this thread or just thinking maybe it's a bug idk. after the 27th it chills out a lot more with a couple more days of higher-than-average uninstall rates, but quickly going back to normal levels by the 30th.

to prevent issues like this from happening again, I've started doing delayed released for the chrome store. firefox is much easier to remove releases from and upload patched versions, so it's a better platform to iron out problems before doing a full rollout to the much larger chrome userbase.

I've also attached the raw CSV files of all of the data from the graphs in case you're curious about all the numbers yourself

firefox-daily-users.csv firefox-downloads.csv chrome-weekly-users.csv chrome-installs.csv chrome-uninstalls.csv