Reduced permissions

[tomfitzhenry]

Is your feature request related to a problem? Please describe.

I'm trying to reduce the permissions of the extensions I use. awesome-rss is awesome, but has broad permissions.

Describe the solution you'd like

A version of awesome-rss that did not have content script permission on all pages. https://github.com/shgysk8zer0/awesome-rss/blob/2ad413f690e2afa40fdb4a4baa4dfb8184bc3b4a/manifest.json#L30-L33

The only cross-platform solution I can think of is to use a browser action that acquires permission activeTab and uses that to inject a content script.

The disadvantage of this is that users would have to click the awesome-rss icon to know whether the page has an RSS feed.

Describe alternatives you've considered

Use chrome.DeclarativeContent

https://developer.chrome.com/extensions/declarativeContent may allow awesome-rss to learn of the existence of feeds without a content script and thus only display an icon if the page has a feed.

The disadvantage is that it's not cross-platform: Firefox does not support chrome.declarativeContent https://bugzilla.mozilla.org/show_bug.cgi?id=1323433

Accept broad permissions (status quo)

This leaves users at risk in case an attackers manages to publish a malicious extension and potentially exfiltrate sensitive information.

[Park0]

This leaves users at risk in case an attackers manages to publish a malicious extension and potentially exfiltrate sensitive information.

For closed sources applications (like playstore) i would agree. But if this is a concern for you, u can always check the source code before installing.

For me missing the automatic detection or the cross platform function would both make the add-on less useful.

[tomfitzhenry]

For closed sources applications (like playstore) i would agree. But if this is a concern for you, u can always check the source code before installing.

I agree awesome-rss being open source makes this less risky than closed source, but it doesn't solve all problems:

• users (myself included) typically don't have the capability/time to security audit Javascript
• even if I do adequately review it at install time, updates are auto-installed, so I'd have to disable auto-updates (a security risk in itself).

FTR, I'm aware reducing permissions as proposed would still leave risk, since a malicious content script can still exfiltrate secrets on the pages I initiate the proposed browser action.

This PR is about reducing risk, not removing it entirely.

For me missing the automatic detection or the cross platform function would both make the add-on less useful.

Yes, the PR makes the add-on less useful for me too. It's a security-convenience tradeoff.

I don't expect the proposed tradeoff will be acceptable to current users, but it's worth a shot!

[Park0]

I have not looked into it yet. But maybe the following would be workable in this case.

Lets say we make it so you have to press the button and it will always display a dropdown (with the text none rss-feeds found if needed). Than it would also be possible to call something like your private https://github.com/RSS-Bridge/rss-bridge to get even feeds from pages (social media) that do not have a official feed. This would also solve the part. Add feed X. Because if u need it, it can be added to RSS-feed