Hacker News new | past | comments | ask | show | jobs | submit login

Yeah, I think a more meaningful critique here would be "Google should draw more visual attention to certain dangerous permissions like these, over less impactful ones."

Also, it's easy for users to click buttons and go "ohhhh, wait, no!" and there ideally should be something to account for this case too.

Yes, absolutely. I write a lot of stuff that uses Google OAuth in order to to interact with google apps on behalf of a user (generate calendar events from forum posts, etc). I ask for the auth scopes separately and my code makes it clear what it's asking for (and the extra auths are asked for outside of the login-authenticate stuff which is always super-basic).

Because of this, I'm extra attentive to what these scopes ask for and definitely don't sign up for anything that looks sketchy (especially the gmail stuff) - most recently TripIt asked for that permission (I suppose to scan my email in order to find travel documents). Even if I trust that TripIt isn't going to misuse that auth right now, there's no way I'm allowing that credential.

I kind of wish I could set universal auto-reject at the google account level of some auth scopes. Like, "I will never allow https://mail.google.com/ scope (or any of the https://www.googleapis.com/auth/* ones)".

Which is absolutely what the author asked for.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact