Closed demt-viessmann closed 4 months ago
Methuselah96
commented
4 months ago Hey @demt-viessmann!
Can you elaborate on what's missing as far as the content security policy? We have this privacy information are you looking for something else?
The developer is a team, what kind of information would you be looking for. We'll look into the issue with timdorr.com, it seems to be linking to @timdorr's blog, but then redirects to some spam.
timdorr
commented
4 months ago Oh crap, my WordPress blog got hacked again? Must be a Tuesday!
I'll get that fixed though.
Edit: Got it!
demt-viessmann
commented
4 months ago According to the scanning-tools our IT-Security Department uses, your manifest-file doesn't contain a Content Security Policy: https://developer.chrome.com/docs/extensions/reference/manifest/content-security-policy. I however can see that it is there in the repo, so I am confused right now. Trying to get more info from them.
Regarding the developer-info, we would at least like to have a post-address. It also would be helpful to have a more "official" looking email-address making the ties to a respected Open Source Project more obvious. Right now the representation in the store looks like some "scratch your own itches"-sideproject, not like some officially recommended and supported tool. That gives me a hard time in convincing the lawyers.
timdorr
commented
4 months ago I'm not putting my home address on the Internet 😬
This isn't a company or organization with a registered entity behind it. It is a collection of individuals working on a project together. Other than this website, there is no centralized location where the activities of this group occur. We live all over the world and have no "leader" per se. I just have my name on the Chrome Web Store extension because Google requires that and I've built extensions before.
I'm sorry if that runs afoul of your organization's policies, but there's not much we can do on our end. We have no budget, so we use the available tools and infrastructure we can afford and that may be insufficient. Such is the nature of using open source software.
markerikson
commented
4 months ago Yep.
The Redux team is a perfect example of the classic XKCD "Dependency":
We're just a bunch of people who are doing this in our spare time. We do it to the best of our ability, but we're not a company or paid org.
I've worked in bureaucratic companies before, so I understand the pain points involved.
Hopefully you'll be able to convince your security folks that it is in fact safe to use a widely-used developer extension that's been around for 8 years and has millions of users :)
demt-viessmann
commented
4 months ago Totally understand your points. Thanks for looking into this and good luck with your Wordpress blog @timdorr ;).
The description of the Redux Dev Tools Extension in the Chrome Web Store misses vital information, which leads to our IT Security Department declining the installation.
There is no Content Security Policy available. There is no information about the developer of the extension beside an email-address. The URL part of that email-address leads to a shady looking website offering rewards for being the millionth visitor.