New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 849054 link

Starred by 1 user

Issue metadata

Status: Available
Owner: ----
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 2
Type: Bug



Sign in to add a comment

RFE: finer grained permissions for "read and change all your dat"

Reported by khym.cha...@gmail.com, Jun 2 2018

Issue description

UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.62 Safari/537.36

Steps to reproduce the problem:
If an extensions wants to read or change anything in a web page, it needs to permission "read and change all your data".

What is the expected behavior?

What went wrong?
The permissions for reading and writing data should be finer grained than that:

* There should be read-only versions of any page data permissions, for extensions that don't need to modify anything on any pages.
* There should be a permission that excludes forms from being visible to the extension, for extensions that don't need to read/change forms.  Similarly, there should be an extension that includes forms *except* for usernames, password, credit card info, and so on.  These permissions should also prevent new fields or new forms from being inserted into the page.
* There should be a permission which *only* allows the data of existing forms to be read/changed, for extensions like form recovery and grammar correction.
* There should be an permission for only reading/changing CSS/style, for extensions like Stylish.

WebStore page: 

Did this work before? No 

Chrome version: 67.0.3396.62  Channel: stable
OS Version: Fedora 27
Flash Version:
 
Labels: Needs-Triage-M67
Cc: sindhu.chelamcherla@chromium.org
Labels: Triaged-ET M-69 Target-69 FoundIn-69 OS-Mac OS-Windows
Status: Untriaged (was: Unconfirmed)
As per comment#0 this seems to be a feature request. Hence marking it as Untriaged.

Thanks!
Cc: rdevlin....@chromium.org
Labels: -M-69 -Target-69 -Needs-Triage-M67
Status: Available (was: Untriaged)
We agree that there is definitely some opportunity for providing finer grained permissions (or more focused APIs) on the extensions platform for page access.  We're investigating a number of different options in this area, some of which may address a few of these needs.  The tricky part is that there isn't really a good ability to restrict JS on a page, so this has to be thought about carefully.

Marking this as available for now.

Sign in to add a comment