Reduce extension authorization scope

[yozlet]

The authorization request on installation asks for permission to "Access your data for all websites". This seems like a far wider scope than is necessary - at most, it should be accessing my data for pinboard.in, surely?

[Cito]

That bothers me as well. I hate when apps require such scary sounding permissions - not only scary, but also ambiguous, since what is meant with "your data" in this permission?

The reason here is that Pinboard-Pin needs to know the URL and title of the page that you want to store on Pinboard and also must inject a small script into the page in order to get the description and keywords from the meta data to prefill the description and tag input fields.

If you have any suggestions how this can be done with less scary permissions, let me know. I'll also experiment a bit to see if that permission can be avoided.

[yozlet]

Thanks for the fast response!

Of the features you describe, URL & title are obviously vital, but the other metadata less so. I have my own tagging scheme, so I don't think I'm interested in how the site has tagged itself. As for description, I'm guessing this is generally useful when pinning a site's front page, less so for individual articles, but I've never tried it so I don't know.

Note that I'm working on a sample size of one here, and I've not even used your extension yet because the permission requests put me off. It could be that this metadata is far more useful to most other people.

However, if my comments above don't sound too out-of-touch with reality, would it be possible to have the description & keyword filling be off by default, then request expanded permissions when the user turns it on in the settings? Obviously this depends on you being okay with the extended work this requires, and the insidious, often inadequate nature of "just make it a configurable setting" feedback.

[Cito]

This is a good idea. Thanks for the pointer to the permissions API. I wasn't aware that it exists - seems it was added this summer and not yet available when I created the extension. But I appretiate very much that this is possible now. I don't like it either when apps require access to microphone and camera because there is some hidden feature for audio and video messages which I don't use anyway.

[Cito]

I've now looked into this some more. In fact, the "access your data for all websites" is only necessary for running the script that extracts the description and keywords (from metatag or selected text). Making this optional, requesting only permissions for pinboard.api at install time and the permission for all other websites when the option is selected is in principle possible using browser.permissions. However, I'm currently blocked by a bug in Firefox which prevents requesting the permission from the options popup or about page.

[Cito]

Note to self: Should revisit this since it has allegedly been fixed in FF 61.

[Cito]

In FF 77 we now have optional permissions which probably can be used to implement this.

[Cito]

Note to self: See also "Requesting the right permissions".

Also note that we now require an additional permission for the context menu, but it seems this does not trigger a permission request.

Also: Don't forget to update DEVELOP.md when this has been implemented.