top | item 23348468

(no title)

stackola | 5 years ago

I know it's needed to provide the functionality you're going for, but I'm always weary of extensions that want to "read and change data on ALL websites I visit".

Any reason why you not just request permission for the 19 domains you actually support? Also, I know some extension request permission on a per-domain-basis the first time they actually try to access it. Maybe that's a path you could also look into.

discuss

louisbarclay|5 years ago

Good point. I had that debate with myself. And I concluded that since I'm going to be adding quite a few domains to Unweb in the near future, and since I don't want users to be asked for new permissions every time they install a new version (which is a potential churn point), I preferred to go with the <all_urls> permission for the hiding content script.

This is inline with what similar extensions like Motion (YC W20, http://inmotion.app/) do. But I do really sympathise and I'm sorry that this was a bad experience.

Incidentally there's a cost (aside from user trust) to doing it this way, which is that the Web Store takes far longer to review your extension - which hopefully means they do a good job of checking the permissions aren't being used malevolently.