Remove site access

Question

Remove site access

Sti2nd opened this issue 2 years ago · comments

Hi,
Does this extension need to read and change site data? Can this access be removed?

Anthony Davis · Answer 1 · Wed Dec 14 2022 00:47:43 GMT+0800 (China Standard Time)

This extension uses whatever permission your logged-in Confluence user has. This extension is a simple Javascript function which renders a small HTML page and updates it with results from the Confluence search API. The only data stored by this extension is your Confluence site URL, and that is only ever stored in your browser's local storage. Note that many browser extensions have significant access to your local browsing, including password managers, ad blockers.

If you want to limit the access that this extension has, you can either remove permissions from your Confluence user, or log into a different user in Confluence, however I don't think you would want to do either of those things.

If you are asking whether it's possible for this extension to use a different credential with fewer privileges, unfortunately that would require me to operate a separate server in order to establish a trust relationship with the Confluence API, and would require your Confluence administrator to install my app on your Confluence. And this would not work for self-hosted Confluence users, of which we have many. So unfortunately the best solution from my perspective would be to continue using your local browser session in order to interact with Confluence on your behalf.

I hope this helps! Let me know if there are any other questions -- otherwise I will close this issue out. I will be sure to update here if anything changes.

Stian Jørgensrud · Answer 2 · Wed Dec 14 2022 16:39:48 GMT+0800 (China Standard Time)

Sorry, I should have been more specific. This extension apparently can read all web pages I visit in my Chrome browser.

It seems to me that this extension wouldn't need to read any web page data through my web browser to function?

I think the problem lies in the permissions this extension is requesting, it is requesting to read all HTTPS web pages in the browser

https://github.com/anth0d/chrome-confluence-search/blob/98dfdb63870e2f586b4fadbecc96cfbf25b97171/public/manifest.json#L10

Anthony Davis · Answer 3 · Wed Dec 14 2022 22:20:09 GMT+0800 (China Standard Time)

Ah I see what you mean. The reason for that level of access is that Chrome manifest v2 did not allow me a mechanism for giving the user the ability to declare which subdomain they need access to. (Every user's Confluence host is different, and not necessarily *.atlassian.net)

I will look to see if more recent web extension manifests support dynamic configuration of this particular permission.

Stian Jørgensrud · Answer 4 · Tue Dec 27 2022 17:55:08 GMT+0800 (China Standard Time)

I Googled dynamic configuration of host permission and sadly didn't come up with anything.

Can I propose another solution. Make use of the new optional_host_permissions and place the * access there and hard code the common hosts like *.atlassian.net in the new host_permissions. That way those who needs custom URLs can approve the optional permission and the rest of us gets a more secure extension 😃

Link to relevant documentation from the migration guide

Anthony Davis · Answer 5 · Sat Feb 10 2024 03:07:12 GMT+0800 (China Standard Time)

👋 Dynamic configuration is added to the upcoming v2.0.0 release, which will be available shortly. I haven't hard-coded *.atlassian.net but rather, the first search attempt will ask for explicit host permission for whatever you've configured as your site host, and store this approval in your browser settings.