-
-
Notifications
You must be signed in to change notification settings - Fork 145
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Privacy/Security: Make Discord Integration Optional #1179
Comments
Hi, Unfortunately, Firefox does not support optional permissions and the same permission request API that Chrome supports, making it impossible to have that feature without also having Firefox request those permissions at the time of the update. On Chrome, that's exactly how it works, the user has to request the permissions on discord and gets prompted at that point to accept or not just those additional permissions. What you could do is use the developer mode installation instructions from here: https://github.com/kakaroto/Beyond20#developer-mode-installation Lines 14 to 15 in e3eaedf
I don't believe this to be a privacy or security issue as the code is open source and auditable by anyone who wishes to do so, and no data is retrieved from discord in any way, the permission only allows the integration with roll20 discord activity. If you were to review the code, you'd see that no code runs on the discord page itself, but the permission is necessary in order to run the extension inside the roll20 activity (https://1199271093882589195.discordsays.com/) as it is an iframe inside the discord website. |
Hi, thanks for responding. I am a bit confused by your answer though, as it seems like there are optional permissions in Firefox. This is what I'm referring to: Is there a reason the Discord permissions cannot be implemented like the Forge and Astral VTT permissions are? Edit: Also, to clarify on the security issue - while we can audit the code, that's not something people are likely to do, or even capable of in many cases. Discord is, in my opinion, a very high value target for attackers - it's a way to impersonate someone to their friends and family. I trust you, but what happens if your access to the plugin repository is compromised and a fraudulent version is uploaded? Now suddenly we have a plugin that was legitimately granted access to sensitive service in a way that is potentially capable of bypassing authentication (including MFA). It doesn't need to request additional permissions, no red flags are set off for most users. This makes Beyond20 itself (and you, by extension) a high value target for attackers. If the permissions were instead opt-in, this would not be a problem. Things like roll20 and D&D Beyond do not have the same threat profile as something like Discord, which is a full social media platform at this point. I'm fine with authorizing a plugin to have access to those types of sites - they are single purpose and contain no sensitive data. |
Checking the docs, yes, it says it's supported, and I can set optional permissions in the extension manifest, but I have not been able to request the permissions dynamically. I've tried this more than once and it just doesn't seem to support it. The Forge is a mandatory permission, as well as the roll20 and beyond20 website. The astral tabletop one was also mandatory but it's been removed now since we dropped support for it. I don't know why it's showing all those as optional in your screenshot. I'll give this another look in the coming days, maybe 4th time's the charm... 🤷♂️ |
I appreciate you looking into it. If I had to guess, it's possible that I've had Beyond20 installed for so long in this browser that I have previously granted it the Astral tabletop permissions, and it simply remembers that because I have never revoked it, even though you no longer request it. Also, I'm not sure if it matters, but I am using the developer version of Firefox, so it's possible that its options are different from the standard version. |
I've just tested building the extension with the following removed from
The permissions now show up as:
However, this will obviously break the Discord integration. I think the way to fix this is to:
However, I have to add the disclaimer that I have not tested this, nor do I have experience with developing Firefox addons. This is just what I found out while messing with this for a bit. I hope it helps. |
Hi, Turns out, when I use The APIs were returning Re-opening the issue until I can do full QA on this and commit it. |
Fantastic news! Thank you again for taking the time to improve this. It is very appreciated. |
Hello,
The new Discord integration requires permissions to be granted to the extension on discord.com, for someone that never intends to use the Discord roll20 activity, this is an unnecessary and unwanted permission. I'm not sure why this has been included in the core permissions (for Firefox at least), when integration with multiple VTTs are under the optional permissions. Personally I consider this a privacy/security issue, and will not use Beyond20 with a browser logged into Discord until it is resolved.
Thanks!
The text was updated successfully, but these errors were encountered: