New issue
Advanced search Search tips

Issue 757421 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Aug 2017
Cc:
devlin@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug



Sign in to add a comment

Extension's Permission Prompt omits some permissions?

Reported by anti0...@gmail.com, Aug 21 2017 
VULNERABILITY DETAILS
Extension's Permission Prompt looks confusing while commenting out a few permissions in the manifest file. More than a security bug this is more like "is enough what is displayed in the permission prompt?"

VERSION
Chrome latest
Operating System: OSX

REPRODUCTION CASE
See attached screenshots, since they combine both the permissions prompt
and the related permissions given to the extension in the manifest file.


chrome_ext_many: extension with plenty of permissions.

chrome_ext_few: removing the history/geoloc/notification/desktop capture,
it looks like the extension requires only one thing.

Maybe it's not a security bug, but looks weird to me that by just removing a few permissions only one bullet point is left in the prompt.

Related: I think it would be helpful to show in the permissions prompt that the extension has the background permission. The only UI dialog I've seen for the 'background' permissions is when the extension is installed the first time: this also fades-in bottom right rather than being where the permissions prompt usually is (upper).
chrome_ext_many.png
169 KB View Download
chrome_ext_few.png
158 KB View Download

Comment 1 by elawrence@chromium.org, Aug 21 2017

Cc: devlin@chromium.org
Components: Platform>Extensions>API
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Status: Untriaged (was: Unconfirmed)
Summary: Extension's Permission Prompt omits some permissions? (was: Security: Extension's Permission Prompt looks confusing)
This looks to me like it's working as intended. 

Not all permissions result in specific warning text within the Permissions UI, as noted in https://developer.chrome.com/extensions/permission_warnings where it says "Some of these declarations result in a warning when a user installs your extension." and it specifically enumerates:

"The following permissions don't result in a warning:

"activeTab"
"browsingData"
"clipboardWrite"
"contextMenus"
"cookies"
"experimental"
"idle"
"storage"
"unlimitedStorage"
"webRequest"
"webRequestBlocking"  "

Comment 2 by rdevlin....@chromium.org, Aug 21 2017

Status: WontFix (was: Untriaged)
Yes, this is WAI.  We deliberately omit or collapse certain permissions.

There are generally three categories of omitted/collapsed permissions:

Nuisance - not worth warning the user about.  For instance, storage is viewed as relatively harmless, and we don't prompt the user (just as we wouldn't prompt the user that a website wants to use window.localStorage).

Collapsed - We don't warn the user about the permission because another permission has equivalent and greater permission.  For instance, we don't warn the user about the cookies permission when the extension has the <all_urls> permission, because if the extension can read and modify all the data on the websites you visit, that includes reading and modifying cookies (a subset of data).  Without the <all_urls> permission, we warn about cookies, but with it, we omit the warning so that we don't display n different warnings with similar content, and instead make it easier for the user to focus on the important points.

Supplementary - Some permissions cannot be used without another permission.  For instance, webRequest, by itself, does not let the extension do anything; it can only be used on the sites to which the extension has access.  Then, once the extension has access to those sites (through host permissions), the webRequest capability is captured by the host permission warning ("can read and modify...").

All of these permissions seem to fall into one of these categories.

Sign in to add a comment