Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Use fewer permissions
See original GitHub issuePer https://github.com/browserpass/browserpass-extension/blob/77f6d18f8ea92e68fc0c020cb4065283e45a78c2/src/manifest-firefox.json#L27-L39 , this extension requests a set of permissions on installation.
This extension is a privileged application, since it has access to a password store, so it’d be great if it relied on the web extension permission model to limit its privilege. A code audit could only go so far: it will miss some issues, and doesn’t account for risks in the build and release process (see https://reproducible-builds.org/ ).
Proposals to make permissions optional
Firefox considers the following permissions to be privileged enough to advise the user of:
clipboardWrite, webRequest, activeTab, <all_urls>, so let’s focus on those.
webRequest
Used for: injecting username/passwords into HTTP basic auth prompts.
Risk: Medium. This permission can be used to exfiltrate all your browsing metadata.
How to make it optional: set HTTP auth to be disabled by default. If a user chooses to enable it, request webRequest then.
tabs/<all_urls>
Used for: Likely many things, but including: injecting a content script on all pages, to add a pass icon to username/passwords fields.
Risk: High. This permission can be used to exfiltrate all content (incl. input) of all pages you visit, or to inject arbitrary content into all pages you visit.
How to make it optional: don’t add a content script to all pages. Instead, add an option (disabled by default) to control this. If/when the user enables this, request <all_urls>. this extension can use activeTab when this option is disabled, which allows this extension to inject a content script if/when the user chooses to interact with this extension, e.g. via the right click menu, or via the passff browser bar button.
clipboardRead/clipboardWrite
Used for: copying username and passwords to the clipboard.
Risk: Low. A malicious extension could put malicious scripts in your clipboard, hoping that you paste them into a terminal?
How to make it optional: defer requesting clipboardWrite until the user chooses to copy to the clipboard.
Disclaimer: I have opened a similar issue against passff: https://github.com/passff/passff/issues/472.
Issue Analytics
- State:
- Created 2 years ago
- Comments:6 (1 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Hello!
Thanks for your effort and detailed explanation, definitely appreciated.
I completely agree that web extension permission model should be used to not have more permissions than necessary to be able to provide the functionality, provided that it doesn’t harm functionality or user experience.
I don’t think this proposal follows web extension permission model, we shouldn’t cripple extension functionality just for the sake of doing it.
When you want to locate yourself in a maps application on Android, you get a prompt “May I use GPS? Always, This one time, No”, and after you respond with a positive answer you get the functionality. It’s unobtrusive, very easy to use.
Imagine if instead the application showed you a prompt “May I use GPS?”, you tap “Yes” and then you got a different prompt “Ha, but go in application settings and enable this feature, because for security we disabled it”. I feel like it will be faster to delete such application than going through the trouble of making it work 🙂
Same as above, except this is a vital feature, in my mind it just doesn’t make sense to provide browserpass that out of the box is unable to fill out login forms to some websites, and requires user to search in extension options how to fix the functionality.
This I could be sold on, however (a) I even think we wanted to make it optional since the beginning, but users reported that it wasn’t behaving well in Firefox, (b) the risk of this one is quite low, if this is the only permission that we conclude makes sense to make optional, honestly I wouldn’t go through the trouble to implement it, to only have one optional permission, the clipboard… 🙂
Asking for permissions at time-of-use can make it more obvious what those permissions are used for, so that the user can make a more informed decision than just allowing or denying the whole lot upfront. We’ve seen a significant shift in that direction on Android, for example.
That model isn’t a good fit for Browserpass unfortunately - so given that we need them upfront, we do our best to ensure the permissions we do need are all documentated in the README - but I can certainly see a number of scenarios in which the ask-when-used approach would be superior.