
Show HN: Your own Google Photos in all of your new tabs - czue
https://chrome.google.com/webstore/detail/photos-new-tab/fpljkobkodmnmldgodfefnmjgjlljbjn
======
howderek
Line 17 of main.js

    
    
        var WEB_CLIENT_SECRET = '<redacted>';
    

Doesn't this let anyone else make API calls as your app?

This may be helpful:
[https://developers.google.com/identity/protocols/OAuth2UserA...](https://developers.google.com/identity/protocols/OAuth2UserAgent)

~~~
CobrastanJorji
I'm no expert on Google OAuth, so this could be wrong, but my understanding is
that this is totally fine.

The client secret is, despite its name, not necessarily intended to be secret.
Client ID / secret pairs can be locked down to only work with specific referer
headers or Application IDs. Also, they are only useful for purposes of quota
and don't provide authentication. A malicious entity could make calls against
the quota of this app (which is true for any app), but they couldn't easily
distribute the key or use it for other purposes very well.

~~~
czue
Yeah I debated this quite a lot and came to the conclusion that it was ok to
include. I put a comment in the source where I describe my understanding of
the threat model (though not sure if it makes it to the bundled extension?)
Here it is for reference:

    
    
      // I know this shouldn't be here but I've concluded based on a fair amount of
      // research that it is *impossible* to make a chrome extension that:
      //  1. Allows you to use accounts besides the default browser account
      //  2. Doesn't prompt for token/account renewal every hour
      //  3. Doesn't have any server-side code.
      // without including it here.
      // I figured I could obfuscate it, but no matter what it's going to be readily available
      // in the network tab anyways so I decided not to bother.
      // Here is some information about the threat model this exposes:
      // https://tools.ietf.org/html/rfc6819#section-4.1.1
      // In summary, the most dangerous thing is that people can use the renewal token
      // to get more access tokens to access your photos, if you've already approved this
      // and they get access to those things.
      // You can always revoke access via google at any time.
    

If it seemed worth it I could set up a server side proxy to keep the secret a
secret at which point I could revoke the existing secret (which would break
everyone's installed apps but whatever). However it didn't seem necessary
based on my read and definitely not until I had validated that anyone wanted
to use it.

------
kkotak
Not giving access to my photos to a random app.

~~~
czue
That's totally fair. As the author I can attest that it's not doing anything
sketchy, and as has been mentioned elsewhere in the thread you can view the
unbundled source to confirm that. But no pressure to use it from me!

------
ljf
Nice concept, but I take a lot of photos so a high chance they could be one of
the 'duff' ones or photos I don't really want to share with my office or
whoever is using my machine if I only use this at home. Can you filter by
folder or some other way of highlighting those you want to share?

~~~
czue
Yeah you can control which albums show up via a config page.

------
a1exyz
I think this is a great idea. However, I share kkotak's concern

~~~
stickperson
Most people here (including myself) will have the same feeling. Would be great
if it was open source.

~~~
zulln
Chrome plugins basically are though? It is just a bunch of HTML/Javascript-
files and a manifest.json.

~~~
stickperson
Good point

------
amelius
> in all of your new tabs

This is a bit confusing. My new tabs are for opening new web pages. And I
occasionally click on one of the recently opened page icons. Will those be
gone?

~~~
borski
This is just intended to replace the splash screen of when you open a new tab.
Instead of the icons and links, you get a nice photo before you type in the
URL.

------
notananthem
OK idea but who uses google photos

~~~
ljf
If you have an android phone you likely do as it backs them up at full res (if
camera is 16m or below) for free. Even installed on my iOS devices - as since
it is free, then why not.

~~~
wapz
And google has phenomenal downsizing capabilities for the free unlimited
storage. I backup my DSLR photos on Google Photos and I can print 5x8" without
any noticeable loss in quality. Here are some examples a user posted to Reddit
2 years ago.

[https://www.reddit.com/r/Android/comments/37pfn5/ive_made_an...](https://www.reddit.com/r/Android/comments/37pfn5/ive_made_an_album_comparing_original_files_vs/)

