OP (or whoever authored the app), open your manifest.json file, go to line 20, and edit the permissions line to remove the all-domain permissions. Here are your current permissions:
I'm not going to read through all of your js to figure out what other domains you really need. Kudos on the idea -- I like it. Just not ideal to ship an app to this audience with the unnecessary security nail-biter during install. Fix and push and you should be good to go.
While I agree with your point, the extension will need permissions for all the sites it's contacting besides Hacker News (Twitter, LinkedIn, etc). I'm guessing Gwendall figured he might as well put a lax permission while developing to make it easy on him. It'd still be a good time to clean this up.
The reason it needs all permissions is that some people have their own pages and the data is on there. So you might need permission to crawl those secondary pages for twitter and github (?)
At least I think that's how it works. I could be wrong.
I didn't install it, even though I like the idea, because it wanted access to 'data on all websites'. I don't know whether Chrome allows more permissive permissions (like only HN), but trust is a rare good and I wouldn't allow a random extension to see everything I browse to.
In my experience it won't work until you approve it, and even then the messaging Chrome uses here is really obtuse and makes it come off as malicious. A lot of people were initially put off by a recent Reddit Enhancement Suite update that asked the same thing, but all it was doing was trying to access full-sized images posted to the site from their native URLs so you didn't have to click into each one. Not sure if this is always 100% of the case regarding updates, though.
Gwen here, I am building hackerface. Didn't quite expect it to land here before I do some more testing but here it is!
Re. the "all permissions" thing, it is required to circumvent the same domain origin policy since the plugin does bunch of GET requests to external websites to find information about you. Working on improving the results and some nice new features right now.
Thanks for the great extension! My suggestion is to move extraction to your server, which would solve the permissions and same origin policy problems. We'd only have to give permission for your website, and as a bonus you can cache extraction for quicker results.
Hey Gwen, do you plan to enable people to correct the info? Somehow my account is being combined with someone else's stuff--the person who created the Tumblr theme that my personal website uses.
Is it easier to develop extensions for chrome than it is for firefox? I'm a firefox user and only find this kind of extensions for chrome. Or are all the cool kids using chrome these days?
I've developed extensions/plugins for both browsers. Chrome is way easier, but not as powerful. Firefox is much more obtuse, but also much more powerful.
In practice, I found developing for Chrome much more enjoyable. Developing for Chrome felt like modern development whereas developing for Firefox felt very heavy, verbose and overall frustrating.
I'm currently porting my Firefox extension to the new Addon SDK. It does indeed look more like the Chrome/Safari/Opera model and makes things easier (like restartless addons which was hard to do before in Firefox).
Chrome extensions have a fairly limited API that lets you do some pre-approved things using an HTML/CSS UI.
Firefox, on the other hand, provides full access to its internal modules; a lot of the browser itself is built on JavaScript and XUL (the UI language) and extensions are essentially on equal footing in that regard: they can extend and even replace a lot of the browser.
A good example is sqlite-manager, which is essentially a simple but full-blown database manager which can read and edit SQLite databases, since it has filesystem access.
There's also the oldish Chatzilla, which can connect directly to IRC servers (a Chrome extension can only connect to HTTP or websocket servers). And It's All Text! which can launch a local text editor to edit a textarea field.
We've been using crossrider.com for our plugin. It let's you write the code once in javascript and then it packages the plugins for IE, chrome, firefox and safari. They've been out of beta for a while now so it's pretty solid. It's also free! (and no I don't work for them :) )
A good start, but I think it misses the things I like about rapportive. The most important thing in rapportive, IMO, is that you see a picture of the person you're responding to. That causes you to respond to a person, rather than just a "user" or "email address" - it forces you to acknowledge the person at the other end, and encourages empathy for them.
This should automatically tell me the person I'm responding to if possible, and show me a picture and context then. A picture (or gravatar) next to their username would also be cool.
The script breaks on trying to view my own profile. The error is: "Uncaught TypeError: Cannot call method 'split' of undefined" in chrome-extension://daljejehnbbbhjlecjgafnnfgilbkdhj/script.mini.js:32
It also affects my userstyle for the topbar. Please don't break page styles :) Namespace your CSS.
Also, please fix your permissions as noted by jchung and others. I installed the extension only on my Chrome Canary because I was too lazy to check the entire JS for security problems (or malicious intent).
With some fixes however, this would be really nice to have.
Same problem here, although I can find your profile now. I wonder if it's relying on an external service and it takes time to generate. Maybe my name will work in a few minutes.
edit: oh, maybe the problem is to do with the logged in users profile is different (inputs vs. display) and because it's fetching locally it's seeing the edit fields?
edit edit: I think that's it! I logged out and I can fetch my profile fine.
Besides the all-domain permissions which you might want to constrain a bit, I'd also remove the button which doesn't do anything. Chrome lets me hide it, but you could make me forego that step too.
Fancy, but as you may have discovered, blind link traversal is likely to come up with tons of really bad data. If you follow a Google Plus link, you'll inevitably get your own Google Plus information.
The company I work for does this as an API and I know the challenges behind it, so for a JS project, nice work!
When I attempted to "facebook like" this page, the preview displays "Find MSN Hotmail Hacker, Cash Advance and more at Hackerface.com. Get the best of Debt Consolidation or Insu...". OP might want to fix that.
I cancelled the installation when it askedd for permission to acces "your data on ALL websites".
It would be great to limit it to news.ycombinator.com and just the sites it really needs to access.
Why is it done this way?
EDIT: Format