Vimium: Why does Vimium need permissions to edit my clipboard in version 1.65.1?

Um, this is mainly because Vimium once forgot to declare the permission, and it added the item back recently.
Vimium supports commands like "copyCurrentUrl" so it expects the permission

---Original---
From: "GeneClackman"<[email protected]>
Date: Mon, Feb 10, 2020 22:22 PM
To: "philc/vimium"<[email protected]>;
Cc: "Subscribed"<[email protected]>;
Subject: [philc/vimium] why does Vimium need permissions to edit my copies and pastes since the latest release? (#3489)

Chrome deactivated Vimium and told me it needed addiditional permissions, in particular permissions to change copied and pasted contents. Why is that?

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.

Seems like it shouldn't have the permission for Chrome according to: https://github.com/philc/vimium/blob/65ba63bdcf72f9ea09698d340fdb8c62dac3ad33/Cakefile#L82

yeah... I'm not really comfortable with this change.

also, the notes for this release is referencing an issue instead of a pull request:

Fix an issue with the HUD preventing some link hints from being shown (#3486).

I don't see a permission change in the diff https://github.com/philc/vimium/compare/ed78c1bbaf2e3f6346436708060e07f8872977a0...master . It could be just me being blind though.

Git blame of manifest.json and Cakefile also looks ok.

Maybe a package built from a different source code made it to the Chrome Store, but I'm just guessing here.

Disclaimer: I am looking at the source code of this project for the first time. I may have just overlooked something.

also, the notes for this release is referencing an issue instead of a pull request:

Fix an issue with the HUD preventing some link hints from being shown (#3486).

The issue was closed by a commit. I don't believe it is related to the permission change.

Folks, Vimium has had the clipboardRead permission since Jan 2012 (3ff0518014a51f237d1d98ebc15c0ce4be24c2b5) so I'm not sure why Chrome is prompting about it now. I believe the last time permissions were changed was in 2016 (dfbd68dd4462181be2e4d61ed255adaee5d39311).

The command "paste URL from clipboard" uses the clipboard read permission.

Clipboard reading isn't so bad considering it can see all data on a webpage. It's the clipboard editing, "clipboardWrite" that's scary.

I just verified it on one of my computers that didn't have the new version yet:

EDIT: I didn't notice the difference at first because my other computers are not displaying the permission list in English, but as juharris pointed out, it is different.

So just be clear, before it said:

Read data you copy and paste

Now in version 1.65.1, it says:

"Read and modify data you copy and paste

(emphasis mine)

Related: we do have clipboardWrite in manifest.json, but it gets stripped out as part of our build script for the chrome store package (see #2852) as @juharris noted, so it shouldn't be present in the Chrome store version. I verified the manifest.json as part of the chrome build omits this permission.

However, it is present in the Firefox build, because apparently we need it for yanking the current page's URL to the clipboard, but not in Chrome. See #2601.

Frustrating. I'm not sure what caused the updated permissions prompt. Chrome does have a new, beta developer portal which required me to enter an explanation for a handful of permissions we're using, so maybe this is the first time we're using some new permissions model.

The only explanation I can think of is that I mistakenly uploaded the firefox build artifact to the chrome store. The only difference is the set of permissions. I've done a version bump (1.65.2) and distributed it through the store; let's see if the permissions as displayed by Chrome reverts back to what it used to be.

Thank for the updates. I've removed Vimium for now until hopefully the new version without the clipboardWrite permission is propagated to the Store.

In light of this. I wonder if there's a way to verify the build and the uploaded artifacts are exactly the same?

Seeing 1.65.1 in the store (uploaded today)...

...which still wants to modify clipboard:

@philc What version did you bump to? Thanks

The latest version will be 1.65.2. Chrome store is still approving.

Here is just a tip: On Chrome, any extension can copy text to the clipboard, even without the permission of clipboardWrite.

---Original---
From: "Bao Nguyen"<[email protected]>
Date: Tue, Feb 11, 2020 05:16 AM
To: "philc/vimium"<[email protected]>;
Cc: "Comment"<[email protected]>;"Dahan Gong"<[email protected]>;
Subject: Re: [philc/vimium] Why does Vimium need permissions to edit my clipboard since the latest release? (#3489)

Thank for the updates. I've removed Vimium for now until hopefully the new version without the clipboardWrite permission is propagated to the Store.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.

Just saw vimium went to #3 of trending and also seeing the alert for requiring new permission, looks like lots of people finally have time to look at the OSS project :-)

For anyone wondering, Vimium has been updated to 1.65.2 on Google Chrome. It now reflect the changes, and does not require special perms to modify the clipboard data. Thanks for the update @philc.

That’s great. Sorry for the mixup everyone! I’ll make some changes to the
build process to make this error less likely in the future.

On Tue, Feb 11, 2020 at 2:59 AM ❂ notifications@github.com wrote:

For anyone wondering, Vimium
https://chrome.google.com/webstore/detail/vimium/dbepggeogbaibhgnhhndojpepiihcmeb
has been updated on 1.65.2 on Google Chrome. It now reflect changes, and
does not require special perms to modify the clipboard data. Thanks for the
update @philc https://github.com/philc.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/philc/vimium/issues/3489?email_source=notifications&email_token=AAACDFXL6REZESP3B3ML5OLRCKAJ7A5CNFSM4KSPBCVKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOELL74PQ#issuecomment-584580670,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAACDFUXZYILIEDMLQXLZNLRCKAJ7ANCNFSM4KSPBCVA
.

In 1.66 it still has the permissions to read all copy/pasted passwords and such... Is this really needed for vim functionality? I don't think I'm the only one who isn't clear one this yet. @philc

In 1.66 it still has the permissions to read all copy/pasted passwords and such... Is this really needed for vim functionality? I don't think I'm the only one who isn't clear one this yet. @philc

Very true. It would be great to have an option to disable yank and paste completely which I would imagine silence this alarm?