qsniyg
commented
3 years ago Good idea, but this will require a rather fair bit of refactoring to do. Perhaps a button on the extension button's popup menu (when you click the extension button, not the image popup) to enable support for a page would work, if there's some kind of "request permission for the current page, whatever it is" option (as I'm not sure if it would be allowed to know which page you're currently on, as that could be a theoretical privacy risk).
It would also require refactoring the way that requests are handled, to ask for permission when requesting 3rd-party sites. I'm not sure how possible it is to do this without possibly dropping some requests if there are redirects (or having some requests perform incorrectly), I'd have to look into this more.
Unfortunately, I don't recall which extension, or the details. Perhaps you know.
Perhaps you're thinking of Reddit enhancement suite? It does this whenever you click on a "preview" link for a new domain, it asks permission to access that domain.
The only downside I can think of, offhand, is that the user may be barraged with permissions dialogs when they first install the extension.
True, though what I'm personally more worried about is that users might think the extension doesn't work correctly, as it would do nothing until they explicitly enable it for pages.
The way I was personally thinking of doing it is to have this as a separate manifest file, so people who sideload the extension can use that version instead.
That being said, since you mentioned that you're avoiding using chrome, I'm guessing you're using firefox, and they have that whole "you can't sideload anything we don't approve and no you can't about:config your way out of this" policy... perhaps then, either uploading a separate version, or having an unlisted version (with optional auto-update checking support)...
Sorry this is a bit disjointed as I'm kind of thinking out loud at this point. I think it's a great idea and one I would like to implement, but I currently don't have a good sense of how to go about doing it properly. Like the other one, I'll leave it lingering in my head to hopefully come across a good solution, and if you (or anyone else) has anything to add, please do so! In any case, there are a few issues that would need to be addressed anyways in order to support this, so I'll get to work on those :)
By the way, unrelated to this, but since you mentioned avoiding google (something I'm also very much in line with), you may want to give brave a go, it's made by the ex-ceo of mozilla. It is based on chromium, but it ungoogles it, and it also offers a fair amount of anti-fingerprinting protection as well (which afaik cannot be easily replicated by extensions... though who knows, perhaps gorhill will find a way...). Using it alongside ublock origin, it works brilliantly for my needs :)
Currently, this wonderful extension uses the "Access your data for all websites" permission. Although the extension has the internal ability to ignore user-defined hosts, it technically still has full access to all data on every site.
I would prefer some way to limit the scope of permissions.
This issue pertains to all extensions (not just this one), and I seem to recall that another extension figured out a good way to handle this. Unfortunately, I don't recall which extension, or the details. Perhaps you know.
I don't recall how they did it, but one idea I can think of is to specify
optional_permissions(see https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/manifest.json/optional_permissions). I think you can make optional permissions to access each of the 5 or 10 most popular sites, and then another optional permission to access all sites. Users can then pick and choose what they want. It's not a perfect solution, but it's a start.The only downside I can think of, offhand, is that the user may be barraged with permissions dialogs when they first install the extension. One way I can think of to remedy this is for the extension to only ask for approval of optional permissions at the time when the user changes the (new) corresponding setting within the extension's Settings UI.
Please note that this is all just a "first draft" on my thoughts on this, and I very much welcome your constructive feedback.
From what I can tell, Chrome might have this functionality integrated into the browser (see https://www.addictivetips.com/web/restrict-extensions-to-select-websites-chrome/), but I avoid using Google products.