Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

OP (or whoever authored the app), open your manifest.json file, go to line 20, and edit the permissions line to remove the all-domain permissions. Here are your current permissions:

  "permissions": [ "http://news.ycombinator.com/", "http://news.ycombinator.org/", "https://news.ycombinator.com/", "https://news.ycombinator.org/", "https://*/*", "http://*/*" ],
FTFY:

  "permissions": [ "http://news.ycombinator.com/, "http://news.ycombinator.org/, "https://news.ycombinator.com/, "https://news.ycombinator.org/],
I'm not going to read through all of your js to figure out what other domains you really need. Kudos on the idea -- I like it. Just not ideal to ship an app to this audience with the unnecessary security nail-biter during install. Fix and push and you should be good to go.

EDIT: Format



While I agree with your point, the extension will need permissions for all the sites it's contacting besides Hacker News (Twitter, LinkedIn, etc). I'm guessing Gwendall figured he might as well put a lax permission while developing to make it easy on him. It'd still be a good time to clean this up.


hackerne.ws should also be whitelisted.


On a related note, what is a quick way to view an extension's source code without actually installing it?



The reason it needs all permissions is that some people have their own pages and the data is on there. So you might need permission to crawl those secondary pages for twitter and github (?)

At least I think that's how it works. I could be wrong.


That's correct.


Couldn't you set up a proxy and just whitelist that? Excellent piece of work btw.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: