Troublesome permissions

[William Ferguson]

The extension looks good, but why does it need permissions to

- read and change google-analytics

- read and change googleapis

We can't allow that kind of a hole in our corporate security.

[Simon Weber]

There's a quick explanation here. More specifically, the analytics endpoints are used through Chrome Platform Analytics and the api endpoints are used directly for auth, Google Music, and the Web Store licensing api.

I could make the latter more specific without much trouble. The former I probably could too; I'd just need to look into exactly what endpoints that client library uses.

Normally I'd be happy to push small changes immediately, but manifest changes are tough to roll out. I went through this recently with another extension of mine: newer Chromes seem to silently disable the extension rather than prompting with the new permissions, which is problematic for anything expected to run in the background. So, it's the kind of change I'll need to a) get right in one go and b) give a warning about ahead of time.

Thanks for raising this! I should have time to dig into it more deeply over the weekend.

[William Ferguson]

Great, thanks Simon.

If the permissions were tighter this would be something we would be keen on.

--
You received this message because you are subscribed to the Google Groups "Autoplaylists for Google Music" group.
To unsubscribe from this group and stop receiving emails from it, send an email to autoplaylists-for-goo...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/autoplaylists-for-google-music/ba855f58-d8ce-4f8c-b158-1db80e54cc71%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Simon Weber]

Alright, I think I can substantially trim these down. Specifically:

• google-analytics doesn't seem to be needed if I switch away from CPA
  
• googleapis can be restricted to just chromewebstore/* and sj/*
• tabs (which generates the misleading "read your browsing history" warning) may not be needed, since tabs.query seems to work with just host permissions now

Best of all, it seems like Chrome might not disable the extension if I'm only narrowing permissions. If that works out I could probably launch this next week or so; otherwise it'll probably be more like a month.

On Thursday, October 25, 2018 at 7:57:23 PM UTC-4, William Ferguson wrote:

Great, thanks Simon.

If the permissions were tighter this would be something we would be keen on.

On Fri, Oct 26, 2018 at 9:38 AM Simon Weber <swe...@gmail.com> wrote:

There's a quick explanation here. More specifically, the analytics endpoints are used through Chrome Platform Analytics and the api endpoints are used directly for auth, Google Music, and the Web Store licensing api.

I could make the latter more specific without much trouble. The former I probably could too; I'd just need to look into exactly what endpoints that client library uses.

Normally I'd be happy to push small changes immediately, but manifest changes are tough to roll out. I went through this recently with another extension of mine: newer Chromes seem to silently disable the extension rather than prompting with the new permissions, which is problematic for anything expected to run in the background. So, it's the kind of change I'll need to a) get right in one go and b) give a warning about ahead of time.

Thanks for raising this! I should have time to dig into it more deeply over the weekend.

On Thursday, October 25, 2018 at 7:05:21 PM UTC-4, William Ferguson wrote:

The extension looks good, but why does it need permissions to

- read and change google-analytics

- read and change googleapis

We can't allow that kind of a hole in our corporate security.

--
You received this message because you are subscribed to the Google Groups "Autoplaylists for Google Music" group.

To unsubscribe from this group and stop receiving emails from it, send an email to autoplaylists-for-google-music+unsubscribe@googlegroups.com.

[Autoplaylists for Google Music]

Ok, I've published 5.10.6 with those changes. Everything went fine in testing, and the update seems to have rolled out without a prompt.

You can find the exact new permissions here. Notably, Google still shows "read and change your data on googleapis" even though it's restricted to just skyjam (Google Music) and the web store.

On Sunday, October 28, 2018 at 7:57:43 PM UTC-4, Simon Weber wrote:

Alright, I think I can substantially trim these down. Specifically:

• google-analytics doesn't seem to be needed if I switch away from CPA
  
• googleapis can be restricted to just chromewebstore/* and sj/*
• tabs (which generates the misleading "read your browsing history" warning) may not be needed, since tabs.query seems to work with just host permissions now

Best of all, it seems like Chrome might not disable the extension if I'm only narrowing permissions. If that works out I could probably launch this next week or so; otherwise it'll probably be more like a month.

On Thursday, October 25, 2018 at 7:57:23 PM UTC-4, William Ferguson wrote:

Great, thanks Simon.

If the permissions were tighter this would be something we would be keen on.