Excuse me if this isnt the appropriate place to ask this, but I would like to know why the plugin needs new FF permission: access to all data of any website #16377
Comments
|
I'd like to know this as well...I removed the add-on until confirm of the reason for this. |
|
ping @Hainish |
|
same here, what's going on? the changelog on the EFF website doesn't say anything about a new permission being needed. |
|
Probably related to FTP blocking: 57a41c2 However, the commit message states that this feature is still not working on FF, so perhaps it would have been better to only request this permission on Chrome. |
That commit was my guess. But I think what's likely happening here is we've already given the permission to "access to all data of any website" (Which I'm pretty sure is what (Either that, or Firefox always asks for that on an update, and I just hadn't paid attention before) Which is why the EFF website wouldn't necessarily say anything about a new permission, because we had already granted that permission before. |
|
So permission was already had, and has always been had? What is your privicy policy? Please don't send me to a wall of text, just tell me if you are: |
|
I'd like to have an official explanation as well. Until then I blocked that update. |
|
Related: #13817 |
|
To sum this up (thanks @csdev and @CodyWilson) and expand a bit:
The Firefox notification seems imperfect, but any additional permission should be mentioned in the Changelog. If someone installed the extension at step 2 they didn't "agree" to |
It looks like it would be needed to me. Otherwise, how would they add the handler to block/redirect non-https requests on all urls? You can read what the onBeforeRequest handler does here: I haven't found much that does recording. The util.log only calls console.log with various warning levels.
I know you said not to, but the privacy policy is in plain English. https://www.eff.org/code/privacy/policy From what I've read of that, and the code thus far. a) Not that I can see throughout the code. There's nothing looking through request bodies or anything weird like that. b) Can't say I've read every line of code. But I've yet to see anything that records anything, really. c) I can firmly say: "Probably not." There's nothing in their privacy policy that allows them to "sell data" per se. But, they can share it with research partners. So take that as you will. Edit: Looking at old (and still open) discussions here and here, it seems that I'm correct in not finding any form of telemetry or otherwise in the code base. |
|
This was an unexpected prompt on the part of Firefox. My guess is that this is due to a permissions change since the last version of the extension: user@https-everywhere ~/workspace/https-everywhere (master) $ git diff 2018.6.21 chromium/manifest.json
diff --git a/chromium/manifest.json b/chromium/manifest.json
index 10b776f062..ccf65918c2 100644
--- a/chromium/manifest.json
+++ b/chromium/manifest.json
@@ -48,7 +48,11 @@
"tabs",
"cookies",
"storage",
- "*://*/*"
+ "*://*/*",
+ "ftp://*/*"
],
- "version": "2018.6.21"
+ "version": "2018.8.22",
+ "web_accessible_resources": [
+ "/pages/cancel/index.html"
+ ]
}
\ No newline at end of fileAdding
I apologize for this unexpected and frightening warning! I can certainly understand why users would be concerned about this, and I'll be reaching out to Firefox to follow up on the dialogue. I'll report back when I have additional information. |
|
@jvillalobos can you clarify here? |
|
I think it was the addition of |
|
Thanks @jvillalobos. This permission seems really misleading - for one, the addition of that permission doesn't even effect websites at all, only FTP directories. Secondly, permission to redirect URLs is already established in previous versions of the extension - why add a scary new warning now? |
|
Firefox always prompts for permission changes. This isn't new. But I get the confusion of |
|
A mention of "It already has access to:" would be nice here. (Something for Firefox to fix.) |
|
@jvillalobos as a more general point, I agree with this post that, while well-intended, the "technically-motivated security-conscious users will avoid downloading and using most Firefox add-ons" and "everyone else will simply ignore all the permission requests and install any add-on they want". I realize presenting a meaningful UX around permissions is hard, but in this case the warning is far disproportionate to the actual permission being asked, to the point that the entire statement is false: "Access your data" is not something the extension does, nor what the permission asks. I sympathize with the challenges that Firefox faces here, but this seems like a UX failure, and the only one it injures is potential HTTPS Everywhere users who have been scared off by this. |
|
The problem with "It already has accessto:" here, is that it doesn't. It has access to http/https schemes via: A better solution might be to break up that "access to all data of any website" permission into more specifics. Such as "access to all http/https requests", and "access to all ftp requests". An even better solution would be to break that up even further. Like such: "permissions": {
"*://*/*": [
"redirect",
"read",
"write",
"*"
]
}Such that a permission might show up as "Able to redirect any HTTP/HTTPS URL", "Able to Read/Write on any HTTP/HTTPS website". Obviously that's not a trivial thing to implement, with such granularity in permissions. But since @Hainish brought up that the entire permission is pretty inaccurate, I figured I'd throw it out there. |
|
Please use the Bugzilla link I included before to request any of these changes. I'll also note that I'm Product Manager for the add-ons site, not Firefox, so I can't really say much about the product and UX decisions that lead to this. Just trying to be helpful here :) |
|
@jvillalobos thank you for being responsive, I do appreciate it. |
|
https://github.com/Rob--W/https-by-default <<<<<<<For trying to sell my information to 3rd parties you have been replaced,id suggest everyone else do the same. HTTPS BY DEFAULT in firefox add ons |
|
@Dutchgold Before you fire alarm bells that your data is being sold by an organization whose privacy policy doesn't allow them to do that, at the very least point out the offending code that collects it. Btw, that plugin requires the same permissions, minus the FTP handler. So if you don't trust the EFF with that, I don't know why you'd trust some random on the internet with it. |
|
this warning is telling people that the postman is reading your post.time will tell.disabled for now. |
It's telling you that the postman can read your post. But unlike the postman, you can read what the process is doing. It's actually rather straight forward javascript. It's not like we're trying to understand GNU's implementation of cat. As well, maybe you don't understand plain English that spells out for you that your alternative is using the exact same permissions. So here, lets use an image.
|
|
Thanks for the lively discussion everyone, I'm going to call it and lock the conversation so that users being directed to this thread will get information relevant to the upgrade process for the extension. If there is a separate bug, please file a separate issue. |
I filed "Adding ftp ws/wss permissions should not trigger extension permission warnings on extension upgrade" in Bugzilla. |
Hi,
Excuse me if this isnt the appropriate place to ask this, but I would like to know
why the plugin needs new FF permission: access to all data of any website?
thanks
Dominik
The text was updated successfully, but these errors were encountered: