Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extension permissions #5

Closed
mrjk05 opened this issue Nov 28, 2024 · 2 comments
Closed

Extension permissions #5

mrjk05 opened this issue Nov 28, 2024 · 2 comments

Comments

@mrjk05
Copy link

mrjk05 commented Nov 28, 2024

Wondering why you need all the permissions?

"This extension would be able to read and alter web pages and see your browsing history on this website. This could include sensitive information, including passwords, phone numbers and credit cards.

You can change this later in the Websites section of Safari Settings."
@mrjk05
Copy link
Author

mrjk05 commented Nov 28, 2024

Based on the code, the extension's broad permissions could theoretically allow access to sensitive information, but looking at the actual code implementation in content.js, the extension only:

  1. Looks for video elements using specific selectors:
function getVideo() {
    const youtubeVideo = document.querySelector('.html5-main-video');
    if (youtubeVideo) return youtubeVideo;
    return document.querySelector('video');
}
  1. Monitors tab visibility changes to trigger PiP mode:
document.addEventListener("visibilitychange", function() {
    const video = getVideo();
    if (!video) return;
    // ... PiP logic
});

The warning message appears because of the broad permissions requested ("<all_urls>" and "tabs"), but the actual implementation doesn't:

  • Access form data, passwords, or credit card information
  • Track browsing history
  • Read or modify sensitive data
  • Store or transmit any user data

The extension's code is focused solely on:

  1. Finding video elements on pages
  2. Detecting when you switch tabs
  3. Toggling Picture-in-Picture mode

While the permissions could theoretically allow for accessing sensitive information, the implemented code doesn't utilize these capabilities for anything beyond its core PiP functionality.

The warning is a standard Safari security measure based on the broad permissions requested, rather than the actual behaviour of the extension.

@vordenken
Copy link
Owner

Hey @mrjk05 ,
you basically answered the question yourself. This is right - as far as I know there is no other way to get the necessary information needed to perform the actions the extension does.
You can always just allow the extension to sites you want to use it (e.g. Youtube or Netflix).
My next version adds a privacy policy to this repo to hopefully make things clearer.

Right now the app has network capabilities (needed for updating) - if I can launch it in the AppStore one day this permission can also go away so there would technically be no way for me to get any information.

@vordenken vordenken pinned this issue Nov 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mrjk05 @vordenken