Save snippets from https pages

[GoogleCodeExporter]

Not permitting saving snippets from encrypted pages is totally arbitrary. 
Why should I not be permitted to save a snippet from, say, the chrome 
extensions site?

Original issue reported on code.google.com by martin.espinoza on 30 Apr 2010 at 6:46

[GoogleCodeExporter]

The decision behind this choice is more moral than technical.

I think Chrome extensions expose users to excessive security risks. Most of 
them, Snippy included, are 
basically javascript snippets injected in each webpage you visit (like 
Greasemonkey). As such they could easily 
behave like keyloggers and collect user informations without their consent (the 
warning message that you get 
when installing an extension is too generic to make the user aware of the 
risks).

Keeping Snippy disabled on https websites guarantees to the users that, even if 
Snippy were to behave in a 
malicious way (it will never do, but let's imagine so), it won't steal 
sensitive information from them (such as 
the ones usually protected via https, like mail and bank credentials).

(they could also look at the open source code hosted here and verify by 
themselves that Snippy is not a piece 
of malware, but most of the people won't do this / don't have the skills ).

Let me know if this explanation satisfies you and I'll close the bug.

P.s.: the specific example you propose (saving snippets from the chrome 
extension site) won't work anyway, 
since content scripts can't be injected in such pages (see 
http://www.mail-archive.com/chromium-
extensions@googlegroups.com/msg02337.html ). 

Original comment by battlehorse@gmail.com on 30 Apr 2010 at 11:07

[GoogleCodeExporter]

The down side is when you have websites which use https from a moral standpoint 
(i.e. 
"everything should be encrypted when possible") ... even addons.mozilla.org is 
encrypted now.

I understand the explanation; it does not satisfy me; you may close the bug as 
"won't 
fix" anyway if you like :)

Original comment by martin.espinoza on 1 May 2010 at 1:50

[GoogleCodeExporter]

Yep, I know the downside. I'll try to think of a way to let the user 
selectively choose whether to enable https 
support or not. The problem is that the only way to achieve that with the way 
Chrome extensions are structured 
right now is to give Snippy blanket access the any https page and then trust 
Snippy to only inject itself in the 
pages you explictly allowed.

I'll keep the bug open for now.

Original comment by battlehorse@gmail.com on 1 May 2010 at 7:31

• Added labels: Browser-All, Component-Extension, Type-Enhancement
• Removed labels: Type-Defect

[GoogleCodeExporter]

This is my vote to let the user decide whether to trust snippet so snippet can 
do its best to work with whatever web page I'm on, https or not.   Life is full 
of risks and there is plenty of software that I use without auditing its source 
code.

Original comment by r.drew.d...@gmail.com on 9 Oct 2010 at 8:43

[GoogleCodeExporter]

You know i like this tool very much, but i find most of the pages now a days 
are HTTPS encoded which is making life difficult for me to use snippy, can some 
one help in this regard and make snippy more generous towards the secured pages 
as this is really a deal breaking thing some times, though snippy is a great 
tool undoubtedly.

Thanks in advance

Original comment by prmadh...@gmail.com on 10 Nov 2010 at 3:04

[GoogleCodeExporter]

I like the tool but this seems to be quit a showstopper. People even use 
facebook with https these days. Snippys of bankaccount status or transactions 
is something i use quit a lot.

People get killed on the road daily, we don't stop driving do we! ;-)

Original comment by fe...@steewell.nl on 16 Apr 2012 at 10:50

[GoogleCodeExporter]

The last time a project member responded to this issue was in 2010.. Does this 
mean that the case is closed? I.e. using snippy on https will reamin 
impossible? I almost can't believe there isn't a workaround...

Original comment by michielv...@gmail.com on 29 Jan 2014 at 5:02