Access authorization

[Gerald Kluge]

Why does the new version (8.6.5) need access not only to Thunderbird but to the whole computer? This is clearly too high a security risk for me.

[Jonathan Kamens]

The old version already had access to "the whole computer," Thunderbird is just being explicit about it now.

The new version of Thunderbird supports "MailExtensions", which are similar to Chrome's "WebExtensions" in that they run inside a restricted sandbox with limited access. Before TB78 there were no such restrictions, and every add-on had pretty much full access.

The new security model is great, but the problem is that the Thunderbird team hasn't yet implemented all of the MailExtension API's necessary for add-ons like Send Later to work. They're working on it, but in the meantime, they've provided add-ons with the ability for part of their code to run in the old, pre-MailExtension environment, so that they can do their jobs until the necessary restricted API's are created.

Send Later falls into this category: it is not yet possible to do what Send Later does without going outside of the MailExtension environment. And since any extension which goes outside of the MailExtension environment has access to "the whole computer," Thunderbird warns about that when you install the add-on.

Again: the level of access Send Later is asking for here is not new, it's just more explicit.

Also, the code in the add-on has been reviewed by the moderators of addons.thunderbird.net and confirmed not to be malicious.

Regards,

Jonathan Kamens
Send Later Thunderbird Add-on
Install | Write a review | Join the mailing list | Make a donation

On 12/15/20 9:39 AM, 'Gerald Kluge' via Send Later Users wrote:

Why does the new version (8.6.5) need access not only to Thunderbird but to the whole computer? This is clearly too high a security risk for me.

--
You received this message because you are subscribed to the Google Groups "Send Later Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to send-later-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/send-later-users/368c6dda-72b3-484c-8969-03532ace26d3n%40googlegroups.com.

[David Zaslavsky]

Hi Jonathan (actually both Jonathans),

Thanks for this explanation and for your excellent work on Send Later.

Would you consider adding a note about this to the description on addons.thunderbird.net or the addon home page? (Assuming one isn't already there, but I looked and couldn't find it.) I understand the need for full permissions, but it does concern me when an addon requests non-obvious permissions and its documentation doesn't try to explain why it needs them. I'm sure some other people will think similarly, and having something in the description and/or on the home page that at least acknowledges the permission request would help them not to worry over nothing.

David

[Jonathan Perry-Houts]

There is a discussion topic where this is answered: https://github.com/Extended-Thunder/send-later/discussions/250 -- and the addons.thunderbird.net 'support' link points users to that discussion forum.

But my medium-term plan for the Send Later documentation is to move everything to a Wiki, which will have a dedicated FAQ. That's still a work in progress, and is online here: https://github.com/Extended-Thunder/send-later/wiki
I'm almost done migrating information over from the old support page (which was recently migrated from Jonathan Kamen's blog), but I won't have time to properly finish that in the next couple of weeks. Once that's all done then there will be a prominent link from the addons.thunderbird.net homepage to that wiki, which will hopefully make it the first go-to source for questions about Send Later.