Add-on Excessive Permission Request
My Compact Header Add-on must be replaced after upgrade. Both available current options are asking for Permission to "Have full, unrestricted access to Thunderbird, and your computer". That "Full access ... to your computer" for an Add-on is a complete breach of all computer safety practice. I am a licensed Computer Engineer and I believe this is a serious breach of security and Mozilla should reject any Add-On which asks for such a permission. I/Users trust Mozilla/Thunderbird and have granted them full computer access. But the Add-ons are NOT Mozilla. Why on earth would an 3rd-party Add-on need access to anything except Thunderbird?? And the "Thunderbird add-ons" FAQ item "How do I install an add-on?" makes zero mention of any permissions granting needed at all.
This needs to change -- no one should accept a Permissions request for "Full access ... to your computer" from 3rd party actors. Know any other trustworthy Compact Header Add-ons?
All Replies (3)
Permission request messages for Firefox extensions and Tips for assessing the safety of an extension
Perhaps you are better placed to investigate whether the add-on actually abuses its "full access" to your computer. I'm no computer engineer, I wouldn't know where to start. Such findings would definitely help inform a lot of its users' decisions, don't you think?
The problem is that once Full Computer Access is granted, the Add-On could at any time in the future be hacked and a malicious party gets access to your computer. Mozilla should solve this issue at the root and NEVER have apps requesting such permission unless they are an app that intentionally deals with your files outside the Thunderbird/Firefox world. Working only with e-mail within Thunderbird as these apps do is NOT an excuse to have full computer access. It is Dangerous!
rickclemenzi said
The problem is that once Full Computer Access is granted, the Add-On could at any time in the future be hacked and a malicious party gets access to your computer. Mozilla should solve this issue at the root and NEVER have apps requesting such permission unless they are an app that intentionally deals with your files outside the Thunderbird/Firefox world. Working only with e-mail within Thunderbird as these apps do is NOT an excuse to have full computer access. It is Dangerous!
What does full access mean in this context? I don't know. But I do know I allowed it because I wanted a compact header addon. Or did I. The web page says it requires no permissions. I installed this. https://addons.thunderbird.net/en-US/thunderbird/addon/compact-headers/
However If you want to talk about permissions in detail I suggest you join the addon developer list at https://thunderbird.topicbox.com/groups/addons
But be aware the status of addons until Thunderbird 78 was that all addons had full access to everything. So the existence of permissions is relatively new, particularly in the mail context and from my reading developers are more interested in expanding what they can access using the API than permissions which really have little on no value in a fat email client where there is an expectation that an addon can access your mail and save it anywhere you want on the local machine that the user has access to..