New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 429185 link

Starred by 18 users

Issue metadata

Status: Assigned
Owner:
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug

Blocking:
issue 436758



Sign in to add a comment

The new webNavigation/tabs permission warning is too broad.

Project Member Reported by rob@robwu.nl, Oct 31 2014

Issue description

The previous permission warning was (until Chrome 36):
"Access your tabs and browsing activity"

The new permission warning is (since Chrome 37):
"Read your browsing history"

This seems to have been changed in https://codereview.chromium.org/328943002/.

The webNavigation/tabs API cannot be used to get the full history of the user, it only provides notifications about navigations. Could we update the permission warning to something more specific and accurate, such as

"Observe your browsing activity"

[ past history | present | future ]
[ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ] <-- Implied by current warning
[                XXXXXXXXXXXXXXXX ] <-- Proposed warning
 

Comment 1 by kalman@chromium.org, Oct 31 2014

Cc: sashab@chromium.org
Status: WontFix
The difference is pretty subtle. I could almost equally interpret "observe your browsing activity" as "observe your browsing activity [past and present]". Part of the reason we did all of this permission refactoring was to reduce the cognitive effort for interpreting messages, part of which is potentially being a little more liberal than necessary. In this particular case though I don't think there's a whole lot of difference really in being able to read your past history or not.

Marking as WontFix,+sashab though, who is working on permissions refactoring. There are quite possibly other more damaging cases where we've missed something, so good to point them out.

Comment 2 by rob@robwu.nl, Oct 31 2014

How about:
"See which websites you visit"

I'd be happy with any warning that does not put emphasis on the past history, because users may perceive this as privacy-invading.

Comment 3 by kalman@chromium.org, Oct 31 2014

How is past history any more or less invasive than future activity?

Comment 4 by rob@robwu.nl, Oct 31 2014

You can't undo the past (embarrassing?) history, but you can (consciously) control your future activity.

One of my extensions declares webNavigation as an optional permission to enable optional features on some websites, and it looks fishy that the extension requests access to the complete browsing history. There is no way to explain that. On the other hand, seeing which websites you're visiting is a plausible requirement, because the extension can only selectively add features to websites if it knows that you're visiting that website.

Comment 5 by kalman@chromium.org, Oct 31 2014

I don't think that expecting user behaviour to change if they have an extension installed is a use case we should optimise for, though I do see your point about the wording being alarming (albeit equivalent).

But again I'd point out that "see which websites you visit" is just as ambiguous whether it's past or future. Wording like "monitor your browsing activity" is perhaps less alarming and more accurate, but harder to understand.

We *could* be more explicit:

- tabs/webNavigation: "Access your future browsing activity"
- history (hides tabs/webNavigation): "Access your past and future browsing activity"

Or something. I don't feel that's strongly better but it's more palatable, and Sasha's framework *would* make that easy to express (right?).

Anybody else have thoughts?

Comment 6 by rob@robwu.nl, Oct 31 2014

User behavior upon installation is important for conversion rates, so I view it as important.

The current message unambiguously states that the extension can access the history.
"See which websites you visit" can indeed be ambiguous, but it is nevertheless an improvement when compared to the previous warning.

"Access your future browsing activity" excludes the present, and "browsing activity" is vaguer and broader than "websites you visit" (does this extension also see my photos?).


Here's another one:
"See which website you are visiting"

This excludes the past history and also shows that the extension doesn't get any more info besides the URL.

Comment 7 by kalman@chromium.org, Oct 31 2014

I'm not sure this is worth discussion a whole lot. I'm ok with my suggestion with past vs future, but anything less explicit is too open to interpretation, and likely won't translate well.
Our extension is using the 'tabs' permission and our users doesn't want to install the extension because it says "Read your browsing history". I agree with changing it to "See which website you are visiting" or something similar.

Comment 9 Deleted

Comment 10 by rob@robwu.nl, Nov 4 2014

Status: Available
kalman@
If you don't mind I am re-opening the issue since there is at least one developer who bothered to dig through closed bug reports to find this issue.

From the perspective of Chromium developers, the message doesn't really matter as long as the "dangerous" potential of the API is contained in the message.

To extension developers, the phrasing of the message IS significant. It means the difference between an installation or a missed opportunity to get a user.

If you're not satisfied with the proposed messages, then we can send a mail to the chromium-extensions mailing lists to gather feedback.
Blockedon: chromium:398257
Owner: sashab@chromium.org
Status: Assigned
I'm ok changing this to have the past/future language. Sasha could you look into this once it's trivial to implement (once  bug 398257  is fixed)?
Yup; I see this as the following rules:

- App has history (and optionally tabs or webNavigation): "Access your past and future browsing activity"
- App has tabs (and optionally webNavigation): "Access your future browsing activity"
- App has webNavigation: "Access your future browsing activity"

Sound good? :)
Cc: f...@chromium.org
SGTM, modulo whatever the language these days is for "read", I can't remember, maybe it's "access".

It sounds like these extensions can predict the future.
I think using past and future will be confusing. How about this?

- App has history (and optionally tabs or webNavigation): "Access your browsing history"
- App has tabs (and optionally webNavigation): "Access your browsing activity"
- App has webNavigation: "Access your browsing activity"

Basically the same strings we used before?

Comment 15 by rob@robwu.nl, Nov 4 2014

#12 and #14

Unlike tabs/webNavigation, the history API can also change the history, so I'd to keep the current warning: "Read and modify your browsing history".
And it now occurs to me that "future history" is an oxymoron.

Honestly I do like the wording of "history" even though it's strong - that's the only real problem with the tabs permission. Who cares if I can watch your browsing activity - the problem is if I send it somewhere - at which point it's your history.

Honestly I have frustrations with the tabs permission as well - not because of the warning, but because you need it sometimes when all you want to do is really benign things.

Gotta head off for the evening. meacer... felt... if you remember anything from prior discussions, or have thoughts, please chime in...
I agree. Given enough time, all current activity is history (#yolo), so the warning is in fact accurate. On top of that, permission warning dialogs has a very high clickthrough rate, so I'm not fully convinced that such a subtle change impacts install numbers.

Comment 18 by rob@robwu.nl, Nov 5 2014

#16
Most of the tabs API can already be used without the tabs permission. Using the tabs permission allows extensions to see the URLs associated with a tab.

It would be nice to have a similar exception for the webNavigation API: If the extension is allowed to access a certain host permission, allow the webNavigation API to be used with the given host pattern. Otherwise reject the chrome.webNavigation event registration. I am willing to implement this if you have no objections against the concept, especially because it is useful for one of my extensions. I don't need to know *all* browser activity, just the navigations for about 10 sites.

#17
People who blindly click through can be ignored in this issue, since they don't read the warning anyway. The permission warnings are for those who want to make a conscious decision whether to install or not install an extension. And there is certainly a difference between giving the extension access to your full history, or just the ability to monitor your browsing activity.
Giving webNavigation the same treatment as tabs sounds fine to me.

To summarise this conversation about the warning: If we can come up with some wording which is
- easy to internationalise
- implies accurately that this CAN gather browsing history ("browsing activity" is too vague)
Then that's something to consider.

"Your browsing history" is a decent enough approximation.

I could also imagine something along the lines of that past vs future history wording, though it's an oxymoron and so probably hard to explain.

Another approach would be "Read your browsing history" vs "Record your browsing history".
Labels: Cr-Privacy

Comment 21 by rob@robwu.nl, Nov 12 2014

FYI webNavigation with fewer permissions is tracked at issue 431108.
Guys, would you mind having a look at  Issue 433020 , too, while you're at it?
Blockedon: -chromium:398257
Blocking: chromium:436758

Comment 25 by rob@robwu.nl, Mar 1 2015

 Issue 462287  has been merged into this issue.

Comment 26 by pdo...@gmail.com, Mar 2 2015

#17  Granted everything eventually becomes history. But at the point of install and moment where the warning appears to the user - history/past activity can't be accessed with tabs permissions. The time of install would be where these warning are most significant as users are deciding if they really want to install it or not based on the severity of the warnings.

I agree with @rob's point that to extension developers, the phrasing of the message IS significant. I've received feedback from Chrome users (typically angrily) asking why I would need to access their history in my extension. History is a very strong word from an end user standpoint.  I would be fine with anything as long as it didn't have the H word in it.

Although many users blindly click through the permission warning, many also take their time to see the various things the extension can have access to (which IMHO is a good thing).  
Cc: -sashab@chromium.org
Owner: benwells@chromium.org
Cc: benwells@chromium.org
Owner: kalman@chromium.org
Over to kalman to decide what to do with this.
Owner: ----
Status: Available
Well I'm open to tweaking the wording under the constraints given in #19, and adding that I don't want to go back to having 2 entries for this.
Suggesting a new phrase: what about something akin to, "View websites as they are accessed", or "View the URLs of websites as they are visited"
I like the "as they are visited" aspect to that warning, though "websites" is too broad and "URLs" is too specific.

Comment 32 by anvi...@gmail.com, Aug 5 2015

Folks, just wanted to check on where you are with this. I echo sentiments of other developers-- we've looked at the numbers and installs have significantly dropped after the new warning was added. Quick poll around the office also shows that 8/10 people are "freaked out" and likely to not install the extension b/c they don't understand why we'd need to read browsing history.

This is a pretty big issue for every business that relies on a Chrome extension :( "Browser history" is a scary phrase, and doesn't accurately capture what this permission even does.

For the history permission, makes sense to keep it as is. For tab/webnav...

Suggestions:
(Read | Access) your browsing activity
Access the webpages you visit

Comment 33 by anvi...@gmail.com, Aug 5 2015

Edit to above post: also, would like to suggest "Read webpages as you visit them"
Cc: -benwells@chromium.org rdevlin....@chromium.org
"Access the webpages you visit" and "Read webpages as you visit them" are not good because they imply content (i.e. host permissions).

See my comment at #19.

I think based on the inability to reach suitable wording here, we should back out of trying to find a single install message which conveys both "tabs" and "history". Another way to rationalise this: history and tabs are for primarily different use cases, and trying to combine the messages is arbitrary.

So how about:
- For history, "Read and modify your browsing history".
- For tabs, "Read your browsing activity".

to at least have a common vocabulary. Yes, *and modify*. I don't know how this slipped through.

Final note: if/when we change this, make sure that it's not accidentally treated as a privilege escalation.

I will give y'all a day to veto this suggestion.

Comment 35 Deleted

Comment 36 by anvi...@gmail.com, Aug 5 2015

@kal, sounds great - and I agree that decoupling these two makes sense. 
What about webNavigation? Should we apply the same warning as tabs there?

Slightly related comment:

We might want to consider when the permission to run on all websites <all_url> is asked. The permissions prompt says "Read and change all your data on the websites you visit." There's a subtle difference between this and browsing activity. In reality, you can take the all_url permission and probably reconstruct browsing activity from there. In those situations the read browsing activity seems redundant. Thoughts? 
"What about webNavigation? Should we apply the same warning as tabs there?"

Yes.

"In those situations the read browsing activity seems redundant. Thoughts?"

We should already be suppressing the tabs warning if <all_urls> is specified. If we're not then that is a bug - what you say is the correct thing to do.

Comment 38 by anvi...@gmail.com, Aug 5 2015

cool, thanks. 
hrm, looks like there is a bug then. Should I start a separate thread for that?
Yes please, that would be great.
Cc: treib@chromium.org
This came up in a discussion today. Another (final?) proposal:

history: "read, monitor and modify your browsing history"
tabs/webNavigation: "monitor your browsing activity".
history+tabs/webNavigation: "read, monitor and modify your browsing history and activity"

... in the hope that the latter warning isn't too wordy. Security people... thoughts? While some of those words a redundant in a security context, emotionally there is a difference and IMO that is important.

treib@ I've had a look at chrome/common/extensions/permissions/chrome_permission_message_rules.cc to see how to make this change, and guarantee that there will be no privilege escalation... and, well, maybe you can explain it to me.
No objections from me in principle.

Just a nit: I checked how the word "monitor" is translated in TR locale and it sounds a little odd. I can't think of an alternative though.
"watch"?
Heh, that's actually how it's translated to TR :) Sure, sgtm.

Comment 45 by treib@chromium.org, Aug 28 2015

#41, how we check for privilege escalations is...complicated. But in this case, we should be fine: There's an early out in ChromePermissionMessageProvider::IsAPIOrManifestPrivilegeIncrease if all the permission *IDs* were already there (before they're ever converted to messages), so just changing the message coalescing rules will never result in a privilege escalation.
[If you were also asking about how exactly to express the above rules in the new system, I can probably help with that. Shouldn't be too hard, hopefully :)]
 Issue 532139  has been merged into this issue.
Hello, just checking in on the issue. Im having trouble with the tabs permission prompting users that the extension can "Read your browsing history". The suggestions in the forum really cleared up the ambiguous and possibly "scary" wording of the current prompt.
I encountered this issue now. Here is my suggestion:

tabs/webNavigation: "Access information about pages you visit".
(Optionally "Access information about open tabs")

This fixes the issue at #34 so that it does not imply content anymore.

It also complies with #19
- simple wording makes it easy to internationalise
- Tells exactly what it can gather (Information about current pages) and that would be obvious for everyone that such permissions could gather information to create a list/history.


Comment 49 Deleted

Comment 50 by hrg....@gmail.com, Nov 24 2016

The "tabs" permission means quite simply that the extension is able to know what pages the user is visiting while the extension is enabled.
You are delving too much into semantics and words that have no clear meaning to the average user.
Just speak plain and simple english.
Tell the user that the extension can "know what pages you are visiting". Clear, unambiguous and simple.

Project Member

Comment 51 by sheriffbot@chromium.org, Nov 24 2017

Labels: Hotlist-Recharge-Cold
Status: Untriaged (was: Available)
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available. If you change it back, also remove the "Hotlist-Recharge-Cold" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: -kalman@chromium.org
Owner: srahim@chromium.org
Status: Assigned (was: Untriaged)
Something for you to ponder, srahim@. :)  There's a fair amount of context here; the TL;DR is that the warning shown for the "tabs" permission is a little overbroad ("Read your browsing history", when in fact it can only read your history *from the point you install the extension*).  Feel free to ping me if you want to chat more.

Sign in to add a comment