New issue
Advanced search Search tips

Issue 640834 link

Starred by 10 users

Issue metadata

Status: Duplicate
Merged: issue 362351
Closed: Aug 2016
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Feature

Sign in to add a comment

Extensions should have a granular permission model similar to Android applications

Reported by, Aug 25 2016

Issue description

UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36

Steps to reproduce the problem:
Chrome Extensions have the ability to use API functions exposed by the browser as well as inject javascript in to pages a user may load.

When a user installs an extension, they are presented with a very coarse permission scheme.

Users should be able to make informed choices about more granular security models, similar to Android apps.

Chrome Extensions can update and implement new features that may change the user's browser behaviour in meaningful ways.  User input is not required to authorize this new browser behaviour.

A long-trusted extension could, remarkably, one day overwrite javascript methods like XMLHttpRequest() or WebSocket() and exfiltrate the data being sent in a manner the user otherwise trusted.  This could be by intent or malicious attacks on the extension authors.  

What is the expected behavior?

What went wrong?
- Extensions should have more granular permission scheme, similar to Android apps

- Extensions should request their updated permission model when they are updated automatically.  This would allow the user to make informed choices about how their experience is changing.

Did this work before? N/A 

Chrome version: 52.0.2743.116  Channel: stable
OS Version: OS X 10.11.6
Flash Version:
Labels: -Type-Bug-Security Type-Feature
More of a feature request than actual security vulnerability.

Comment 2 by, Aug 25 2016

Components: Platform>Extensions Platform
Labels: -Restrict-View-SecurityTeam
There are similar requests (e.g.  bug 342570 ). Not sure if there is an exact dupe, so I'll leave it to Devlin to triage.
Mergedinto: 362351
Status: Duplicate (was: Unconfirmed)
Extensions already have a granular permission model.  An extension can choose to only request the APIs and domains it requires.  When it updates, if it requires new permissions, it is disabled and the user is alerted.  In theory, users already have the ability to make informed choices about the extensions they install - the bigger problem is that few users are deterred by a big scary warning saying "This extension can access and modify all your data on all websites."

Given that there are a number of legitimate use cases for requiring access to all urls (adblock, ghostery, et al), I don't think this is something we can or should remove.

However, there is an effort to give the user more control over when an extension can act, and to try to move towards a more runtime permissions model, which I think is what this bug (and  issue 342570 ) are really hinting at.  Duping into the tracking bug for that effort.

Sign in to add a comment