Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Explanation and justification for permissions requested by this extension #213

Open
ArhatEves opened this issue May 24, 2015 · 9 comments
Open
Labels

Comments

@ArhatEves
Copy link

Hey all. I desperately need this, and it's so cool that it's on a GNU license, but it scares the crap out of me that it says it can read and change all your data on the websites you visit. Can someone please explain what that entails exactly? I'm hoping that it's not as bad as it sounds, because it sounds like a security/privacy nightmare.

@deanoemcke
Copy link
Collaborator

@ArhatEves it is indeed unfortunate that the extension requests such scary permissions. the reason for this is that it requires a content script to be run in the background of every open tab. the main functionality this provides is the ability to detect if the user is part way through editing a form. it also does a few other things like set the page scroll position on reload and capture a screenshot before suspending if you have that feature enabled.

while this means in theory that it could read anything on the page, record keystrokes etc, you will have to trust me when I say that it does not. the extension is built from the source code of this project. if you would like to see exactly what the content script is doing, you can view the source for it here: https://github.com/deanoemcke/thegreatsuspender/blob/master/js/contentscript.js

i believe that chrome relies on the webstore review process to allow the community to determine whether an extension can be trusted. they say this exact thing here: https://support.google.com/chrome_webstore/answer/186213?hl=en

given the number of users this extension has, the open source nature of the code, and the lack of any negative reviews in this respect, i would say you can be fairly confident in trusting it.

@ArhatEves
Copy link
Author

Hey, thank you so much for the explanation and links. My mind is at ease! Much appreciated.

@fc0967
Copy link

fc0967 commented Nov 20, 2017

Can this extension be leveraged by a malicious actor to extract the user browsing information?

@deanoemcke
Copy link
Collaborator

The most obvious thing I can think of is that it stores the users tab session history in a local indexedDb database on the users filesystem. When you clear your browsing history, it will not clear this session history, although you can remove this manaully within the extension. There is a feature request to turn off this automatic saving of session history: #587

Other than that, chrome does a pretty thorough job of making sure the code of the extension itself is never compromised. You will receive an 'extension is corrupted' message if this ever happens.

I am not a security expert however, so please don't take this as a definite answer.

@deanoemcke deanoemcke changed the title Read and change all your data on the websites you visit??? Explanation and justification for permissions requested by this extension Oct 11, 2018
@deanoemcke
Copy link
Collaborator

Just want to add some more information here about the "Read and change your browsing history" required permissions.
The only thing this is used for is to 'tidy up' the urls in the session history to remove any suspended tab entries. They are always duplicates of the real urls and just clutter up the history if left in there.
For more information on this behaviour (and it's limitations), refer to this issue: #717

@nmai
Copy link

nmai commented Feb 6, 2021

This aged nicely 👍

@ArhatEves
Copy link
Author

ArhatEves commented Feb 6, 2021 via email

@prbhtkumr
Copy link

sigh, been searching for a safe tab suspender plugin but this is kinda sus

@wylie39
Copy link

wylie39 commented Aug 12, 2021

sigh, been searching for a safe tab suspender plugin but this is kinda sus

I recommend This one

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

6 participants