this post was submitted on 24 Nov 2023
224 points (96.7% liked)
Firefox
17885 readers
46 users here now
A place to discuss the news and latest developments on the open-source browser Firefox
founded 4 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I keep thinking about installing this, but the required permissions seem a bit excessive:
Anyone know if the 'All Access' permission is really required for what this is doing? It just feels wrong. There isn't some sort of "Control Navigation for These Domains" that it could request for each enabled site or something is there?
"Access your data for all websites" is important because otherwise it doesn't know what domain you're on in the first place.
Access browser tabs
Access browser activity during navigation
are enough to do that.
Maybe the devs don't know that. Could you open an issue on this?
Asking you because you may know more about these permissions than me.
I've been using the addon for some time, and while it's good now, there were some silly mistakes in the past. What I'm trying to say is that maybe they're just relatively a beginner, and it haven't yet occurred to them to revisit the permissions.
I went through the issues. Indeed what I said was all you need for redirecting from YouTube et al, but now it also checks every single libre instance you go to and goes to somewhere else if the instance is down.
Shouldn’t it just require access to i.e. YouTube.com and not a blanket everything? This is what other extensions do.
It can redirect a dozen other services too
Just add them to the list. They have to code separate rules anyway.
It's open source, you can ask the author and other users about it too (if you can't read the code yourself)
Oh, I'm confident(-ish) in my ability to review the code, but as I understand it I have no way to guarantee that the code that's on github is the code that AMO installs. Plus updates are automatic, so I have no way to ensure that something malicious won't be added anyway.
You can build it yourself from source then.
You can only do that with Firefox Developer, can't you? And IIRC, they self uninstall after a week or something, don't they?
You can either install it unsigned with Firefox Developer Edition and it will be permanent. Or you can sign it yourself (you don’t need to publish it on AMO): https://extensionworkshop.com/documentation/publish/signing-and-distribution-overview/ and it will work on regular Firefox.
Addon files (.xpi files) are zip packages of the addons. They should contain the script files without obfuscation (I think this is an AMO policy), besides any resources and the addon manifest file.
The only thing that would be harder to inspect I think is webassembly files.
I think you can still build the extension package and upload it yourself
It's open-source so you don't need to worry