Comments (5)
I think I may have answered my own question in a way.
Yes, that is the correct way of doing this, not on extension level. Extensions can decide not to load on certain domains, like Blockcore Notes does with an deny-list (stops from loading) and allow-list (shows green validated domain).
from nos2x-fox.
Good discussion! To be honest, I also was not happy with the "Access data from all websites". However I never did much research into it (thank you for doing it).
Given that there is no native way of putting that restriction in place, I don't know if it makes much sense to implement it at the extension level.
The reason I would like to restrict domains, as you mention in your first message, is in case I don't fully trust the extension. So, if the extension is the one handling that, I'm not much better. Let's say the extension has malicious code or is hacked somehow, the extension-level domain restriction won't do any good in preventing the attack.
To be honest, I'm not sure how helpful that could be.
from nos2x-fox.
I think I may have answered my own question in a way.
On Google Chrome you can do this now by going to extensions > extension details > site access > Allow this extension to read and change all your data on websites you visit > Can choose on click or on specific sites and define a list of sites or perform an 'on click' action to self-authorize reading or changing of data.
On FireFox the option is not readily available in the add-ons page. So, I still need to figure out how to do this.
from nos2x-fox.
I think I may have answered my own question in a way.
Yes, that is the correct way of doing this, not on extension level. Extensions can decide not to load on certain domains, like Blockcore Notes does with an deny-list (stops from loading) and allow-list (shows green validated domain).
After some research, I found out that Firefox does not yet support a setting for extensions to restrict 'Allow access to all domains data", unlike Chrome. The idea has been open for discussion for sometime now, but unavailable yet.
However, I think adding probably an options page input field to add domains and then controlling the 'content_scripts' permissions for 'matches' for list of user defined domains would be a nice to have.
from nos2x-fox.
Good discussion! To be honest, I also was not happy with the "Access data from all websites". However I never did much research into it (thank you for doing it).
Given that there is no native way of putting that restriction in place, I don't know if it makes much sense to implement it at the extension level. The reason I would like to restrict domains, as you mention in your first message, is in case I don't fully trust the extension. So, if the extension is the one handling that, I'm not much better. Let's say the extension has malicious code or is hacked somehow, the extension-level domain restriction won't do any good in preventing the attack. To be honest, I'm not sure how helpful that could be.
I agree! For now I have modified the extension to allow only domains I need it to give access to under content_scripts > matches from '<all_urls>' to the Nostr client domains, until Firefox adds this functionality in the browser itself. I was able to get it signed to self use.
I'll probably write a guide for others to maybe do the same or run it unsigned with the browser setting xpinstall.signatures.required
as false
. I'm not a fan of that change in Firfox configuration since it could lead to potentially having other extensions being installed maliciously, but I guess maybe a separate browser profile or browser could be used for Nostr.
I'll close this for now as I think I can work out with my modified extension's manifest.json. Thanks for the inputs everyone!
from nos2x-fox.
Related Issues (20)
- Improving security with manual approval code for each sign? HOT 1
- Support of multiple keys for using the extension with multiple identities HOT 1
- [Feature Req] Allowlist certain specific types or kinds of requests HOT 1
- how to determine when window.nostr is available HOT 2
- [FEATURE REQUEST] Private Key Masking HOT 2
- The logo is invisible on my FF HOT 3
- Permissions not showing in Options HOT 3
- Failed to save a key with version 1.12.0 HOT 1
- Unable to Export profile HOT 2
- [Feature Request] Master password HOT 1
- Extension can easily flood the user with popups HOT 6
- Allow probing for permissions HOT 6
- will this be available for android? HOT 4
- Name a Profile HOT 1
- Closing the prompt window doesn't reject events HOT 1
- Add nip44 support HOT 2
- Record history of authorizations and operations
- Better user friendly identification of "kind" in prompt
- [Bug] Receive Saved relays! green message too often HOT 1
- Throw error when event pubkey does not match
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nos2x-fox.