More permissions questions

New beta, new permissions. I know there's no way to opt out but there are two new permissions and one of them feels like it should be a non starter.

  1. Manage your downloads
  2. Change your privacy-related settings

Managing my downloads already sounds like something I'm not interested in but changing privacy settings feels like a non starter.


1Password Version: Not Provided
Extension Version: 1.11.4
OS Version: Linux
Sync Type: Not Provided

Comments

  • MikeTMikeT Agile Samurai

    Team Member
    edited October 10

    Hi @stolen,

    Thanks for sharing your thoughts; we've explained why we need these additional permissions in the changelog:

    In this build, we've requested additional browser permissions which will help us add additional functionality to 1Password X.

    • Privacy: Required to optionally set 1Password as your default password manager and disable browser autofill prompts
    • Downloads: Required to automatically download the Emergency Kit for your 1Password account and diagnostic information which we may request
  • dtearedteare Agile Founder

    Team Member
    edited October 10

    You're right to challenge the need for any extension asking for permission to change your privacy-related settings. And I'm quite happy that you did!

    Technically we don't want access to all the powers granted by the privacy permission we're requesting; we only want access to the autofill portion of those settings. Ideally we would be able to request a subset of the permissions, and hopefully someday we'll be able to do that. At present, however, the permission structure provided by the Chrome api is relatively coarse.

    As an extension it's important that we limit our permissions to be as small as possible and so for the longest time we decided not to add these additional permissions even though we had features we wanted to use them for. After further consideration, we decided that it was something we needed. To help put things in perspective, 1Password needs access to every web page and every password field already, so I'd argue we've already been granted more permission than what either of the privacy or downloads permissions would provide.

    Sometime I do cringe when I see how many permissions we need to require. At the same time, we're making what's arguably the most complex extension in the store and we need to touch on every aspect of the browser to recreate a desktop app experience.

    I hope that helps shed more light on the permissions we're asking for.

    ++dave;

  • Is there any reason you couldn't mark these as optional permissions so they're not required when the extension is upgraded? It takes a lot of effort to track down the release notes and this specific discussion thread when the only thing Chrome will tell you about an extension is "You must accept these permissions or uninstall it". I know it's more work on your part to create a flow to request them and for the code to detect if they've been granted, but it would go a long way toward being security conscious and showing good will to your users without feeling like "We know what's best for you".

    And now because/while the extension is disabled I've lost access to my credentials and can't easily sign in to anything or ensure I'm pasting passwords into the right websites, which makes users less secure by default.

  • brentybrenty

    Team Member

    @zimzat: Unfortunately we don't have control over the presentation of the permissions dialog in the browser. Release notes are linked to directly in the update notification though, and in 1Password X Settings, so it's not as hard to find as you might think. And of course you can always sign into your account through the website if needed. Cheers! :)

  • @brenty I'm not sure what update notification is being referred to. Often times the only way I know an extension was updated is when it manually pops open a new tab with the release notes the next time I open my browser (e.g. TamperMonkey) or when the browser is saying it has been disabled (e.g. 1Password). Once the extension is disabled, because it updated in the background, users can't access the Settings tab without accepting the new permissions first (chicken and egg).

    In order to find the release notes I had to go to "Chrome > More Tools > Extensions > 1Password X Details > View in Chrome Web Store > Support > view responses to Seth Vargo on why it was requesting additional permissions > copy and paste url into browser.

    As for the permission dialog, Chrome and Firefox allow you to mark permissions as optional and to request them at runtime only when they're actually going to be used, it's in their API. It's pretty standard for how permissions are done in most Android and iPhone apps as well.
    https://developer.chrome.com/extensions/permissions
    https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/optional_permissions

  • brentybrenty

    Team Member

    I'm not sure what update notification is being referred to.

    @zimzat: It comes up when the browser updates it. I'd give you a screenshot, but I'm way past that already. :lol:

    Often times the only way I know an extension was updated is when it manually pops open a new tab with the release notes the next time I open my browser (e.g. TamperMonkey) or when the browser is saying it has been disabled (e.g. 1Password).

    Yeah, we don't want 1Password to be that intrusive. But it almost sounds like that's what you're asking for.

    Once the extension is disabled, because it updated in the background, users can't access the Settings tab without accepting the new permissions first (chicken and egg).

    Perhaps, but I'm not sure what we can do in that case. Open to suggestions.

    In order to find the release notes I had to go to "Chrome > More Tools > Extensions > 1Password X Details > View in Chrome Web Store > Support > view responses to Seth Vargo on why it was requesting additional permissions > copy and paste url into browser.

    I don't know who you're talking about, but if you right-click the 1Password X icon, you can select Settings, and then click Release Notes:

    As for the permission dialog, Chrome and Firefox allow you to mark permissions as optional and to request them at runtime only when they're actually going to be used, it's in their API. It's pretty standard for how permissions are done in most Android and iPhone apps as well.

    That's pretty intrusive too, but we'll continue to evaluate your feedback along with everyone else's to see if that's a direction we should go in the future. Thanks for sharing your preferences! :)

  • dtearedteare Agile Founder

    Team Member

    Regarding release notes, 1Password X typically shows a system notification after updating, and clicking it will take you to the full changelog.

    In the case of this update, we indeed had a chicken and the egg problem like you described. We are only notified that we were upgraded once we're launched, and we couldn't be launched before the prompt for additional permissions is accepted.

    So yes, absolutely, I agree that this is not an ideal upgrade experience and I apologize for that. Having more control over upgrades is one of the great features of having a standalone app, but that comes with downsides of its own.

    I'm glad to see how many people are paying such close attention to these permissions. I was afraid we'd upgrade and no one would notice. 🙂

    ++dave;

  • dtearedteare Agile Founder

    Team Member

    I like the idea of asking for permissions dynamically. That could work quite well for bookmarks and manage and a few others. We'll look into this for a future update.

  • Thank you @dteare, that makes me feel a lot better. I was starting to wonder if Chrome was doing something different for me than it was for others or if there was some way I missed for it to prompt before updating extensions with permission changes.

    @brenty Because of the chicken and egg problem I opened my browser this morning, passwords weren't autofilling, and this is all I could see by default.

    Clicking that line (left, right, or middle) doesn't give an option to view the extension details, it's just:

    Thank you!

  • dtearedteare Agile Founder

    Team Member

    You're very welcome. 🙂

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file