Hacker News new | past | comments | ask | show | jobs | submit login

On the other side of the coin, Firefox makes it quite hard to push updates to users that require more permissions, requiring manual intervention to update. It signifies this with a small muted yellow exclamation mark on the hamburger menu, which is really hard to see.

I've not received my own updates for weeks a few times because I haven't noticed the warning, and about a third of our users are on ancient versions presumably because of it [1].

I think the real solution to this problem is GDPR: massive fines if you abuse your users' trust (and get caught).

I'm not keen on the literal dark pattern that Firefox uses to dissuade developers from requiring new permissions.

[1] https://addons.mozilla.org/en-US/firefox/addon/tridactyl-vim...

Firefox (Chrome) should make it very easy for anyone to audit what extension/plugin are doing.

If url, div, cookies and any other info are collected, what are they?

What server connections are made by the extension, IP, Name, contents of info transmitted?

All the GUI, collection system should be in place as part of JS dev/debug tools already. Just customized it a bit so any tech savvy users can check the audit logs and enable more logging for a plugin if needed.

If an user spots something not right, it is also easy to out the "plugin/extension" on a public forum.

Actually, Chrome does this too:

> Chrome prompts the user if adding the permissions results in different warning messages than the user has already seen and accepted.[1]

[1]: https://developer.chrome.com/extensions/permissions

The thing with Chrome extensions is, many, many extensions already require the ability to interact with every page you visit, which is essentially Chrome extension root. If your extension already requires this, you don't need to add permissions when you update / sell your extension, so nobody is warned.

Firefox is in the right here. I absolutely do not ever want extensions to automatically get new permissions automatically just because I accepted an old version's lesser permissions.

If you want more permissions, then ask for more permissions.

And don't be surprised when people say NO.

Not everyone wants to grant the permissions to your update even if the update fixes bugs in older versions. Not everyone will want your new feature in the first place. Denying permissions is an easy way to eliminate the risk of having to go through and figure out whether or not the new feature is trustworthy.

And if you're not adding a new feature, then why do you need more permissions?

Automatic permission addition is totally unacceptable, agreed. But I do think that Firefox should actually ask, at least once. A vague exclamation point on the edge of the screen isn't really a sufficient way of handling that for extensions a user has chosen to add.

> then ask for more permissions.

I agree with you. As another reply to you states, however, Firefox doesn't currently let me ask. You have to kind of go hunting for it.

> And if you're not adding a new feature, then why do you need more permissions?

Firefox does not let me explain why the permissions are needed. It would be nice if we could have a little blurb where we can state our case next to each permission.

Our current approach is to explain likely upcoming permissions requests in advance and ask our users to stay vigilant for the appearance of the tiny yellow exclamation mark, but that's not very helpful to the third of users stuck on old verions before we learnt that trick.

> And don't be surprised when people say NO.

I think very few of these users have said no on purpose. We ask for (and use) almost everything [1], so any marginal new permissions are unlikely to give us much more power. The current permission model actually makes it tempting to just literally ask for everything because we might want it for a new feature in the future.

The optional permissions are not fine-grained enough to be useful (you can accept all optional permissions, or none) and not available for enough permissions, otherwise we would use them.

Also, the first versions of our software were really slow and bad. I really doubt many people are staying there on purpose. (If there are any Tridactyl users in this thread using an old version on purpose, I'd like to hear from you :) ).

[1] https://github.com/cmcaine/tridactyl/blob/e20a224fb8d8bbb2b7...

Firefox and Chromium are both open source. If you don't like the way it works, then work with the teams to build a better experience.

I can kind of understand that charge when it is levelled about people complaining about Quantum and doing nothing about it, but I already spend countless hours a week working on a replacement for an extension that died because of Quantum.

How much more time can I reasonably be expected to donate? Just trying to find duplicates on the BMO could take ages.

Complaining into the void on the internet takes much less time and makes me feel better :)

Maybe start pointing out how things are far too complex and work to reduce complexity instead?

New permissions shouldn't be taken lightly. One day you'll install an extension that access only on a specific site, and the next day it's requesting access to all your bookmarks, location data, history etc. If you make it into a next next next dialogue box you're implementing an easily abused dark pattern.

A better approach would be to allow extension upgrades, irrespective of permissions. If a user chooses to deny permissions the extension should still work on the latest version.

Why not just return empty datasets to extensions that ask for too much? Empty history, empty address book, white noise for camera and microphones, etc. Then it would be possible not only to ‘accept’ what it does or uninstall, but seamlessly deny what you don’t want.

Yes, agree!

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact