Add a setting to allow extension's access to all websites in Chrome.

[zmilonas]

This issue is a

• [x] feature

Add a setting to enable Tusk's access to edit all website's data without prompt in chrome.

Might be hidden or something, only for advanced users, but when you want to be really productive. The prompts about access to data in specific domain become annoying. Open for discussion, especially since it has serious security implications.

[subdavis]

I've been wanting to revisit this also.

The original purpose of Tusk was to respect user's privacy more than every other browser password manager - meaning it couldn't access any of the sites you visit by default. I believed that whitelist was a better default.

It turns out this control simply annoys users - particularly the non-technical users to whom Tusk appeals. I'm tempted to put this as an option at install-time where, when you're setting up Tusk, it asks you if you want to authorize each site or allow access to everything by default, then make an advanced setting where you can change this later.

[zmilonas]

The problem might arise if people start choosing the all-open approach and have really generic or plain incorrect URLs in their databases they can for example (worst case scenario) accidentally autofill their AWS root account credentials on somebody's S3 served website which would have input change ajax calls.

So, while appealing to everyday, non-technical users You have to remember to keep them safe from themselves.

From an UX standpoint I would strongly advise agains any install-time decisions. In good UX the more choices You can make for user the better the experience. Some reading regarding that

[jbuschjr]

Much more on the user side of any discussion regarding this, seeing as it was my frustration with it that led me here. I appreciate seeing discussion of user security and fidelity with their data though. Using this extension on four different computers with dozens of frequented sites makes confirmation of that permission a hiccup every time.

Would definitely be in support of the advanced option for default access. You can say you have the user's best interests in mind until you're blue in the face but that isn't going to stop them from wanting it if you've told them the repercussions. In my personal case the I feel the best applications I've used are extremely configurable. Sure the defaults are well chosen so the average user doesn't need to change them, but the options are there if/when they want them. Gating off functionality and waving your finger at an understanding user is purely a frustration.

[subdavis]

@jbuschjr that's a pretty logical argument. I'm partial to an advanced setting to allow for all domains, while leaving the default as minimal permissions. I'll take a swing at this sometime next week.

[subdavis]

A scenario that was not tested before this merged:

1. all permissions
2. revoke all permissions
3. Visit a site you've never been to before. Chrome still behaves like you have all permissions even though you can see in the permission list that that origin was not allowed. This is a terrible browser bug....

Going to allow this feature to go to prod, but with a note about this.

[zmilonas]

@subdavis On a related note I'm working on User Acceptance Tests with Puppeteer so this is a good one to save for a test case

[Enquire-Enrique]

Having problems revoking this permission on firefox reinstalled and problem remain. Any suggestions ?