Comments (9)
Samq64
commented on July 3, 2024
Alternatively the more options button could just open the browser's permission page. Toggle descriptions could be useful though.
from scratchaddons.
WorldLanguages
commented on July 3, 2024
With this implementation, we may even decide to make all permissions optional and show them to the user during onboarding, even on browsers that grant us required host permissions during installation. That means Scratch Addons, whether used on Chrome or Firefox, would have the same flow of allowing site access.
Making all host permissions optional is planned by the Chrome extensions team, and we won't have a choice. The final design is yet to be seen, but I'm pretty sure Chrome wants to go away from granting host permissions when installing.
from scratchaddons.
WorldLanguages
commented on July 3, 2024
I don't think it will ever be necessary to ask for a scratchaddons.com host permission (we can always use a Scratch iframe if needed and configure CORS properly in our own website) but if we want, we could assume it is for the purpose of this UI and avoid any requests to it if it's disabled. Probably not a good idea?
Having separate permissions for scratch.mit.edu, api and clouddata makes very little sense as well. Remember that the scratch.mit.edu website can already access the other two, so the first permission implies the two others. If users want to disable all website addons but continue to use Scratch Messaging, we can provide something more intuitive instead, such as an extension pause button or disable toggle (there's more discussion in other issues).
I can only see the UI making sense if we add toggles for more sites, such as running editor addons on ScratchLab, CSFirst, etc.
from scratchaddons.
DNin01
commented on July 3, 2024
I don't think it will ever be necessary to ask for a scratchaddons.com host permission (we can always use a Scratch iframe if needed and configure CORS properly in our own website) but if we want, we could assume it is for the purpose of this UI and avoid any requests to it if it's disabled. Probably not a good idea?
Then the only benefit to requesting permission to scratchaddons.com would be that the user would understand why we are able to access it. (One would expect that we need that permission at first, right? But actually, we can just access it through a content script on a Scratch page we have access to.)
On the other hand, in general, it makes sense to request as few permissions as possible, so not asking for this permission would be one less impediment to getting started with Scratch Addons.
Having separate permissions for scratch.mit.edu, api and clouddata makes very little sense as well. Remember that the scratch.mit.edu website can already access the other two, so the first permission implies the two others.
For users that don't know everything about Chrome's extension permissions system, that seems like a reasonable assumption. I don't think anyone would be surprised if we could access those Scratch endpoints using a single host permission to scratch.mit.edu.
from scratchaddons.
WorldLanguages
commented on July 3, 2024
To clarify, requesting the api and clouddata permissions directly is handy, as we can reach those subdomains from the background context with a normal fetch. But in theory, we could also access those two by making the requests from a scratch.mit.edu tab or background iframe.
from scratchaddons.
WorldLanguages
commented on July 3, 2024
Then the only benefit to requesting permission to scratchaddons.com would be that the user would understand why we are able to access it.
I'm not the average user, but of course extensions can access public information where CORS headers are correctly configured. Some addons already do this with ScratchDB and Ocular.
from scratchaddons.
DNin01
commented on July 3, 2024
Then the only benefit to requesting permission to scratchaddons.com would be that the user would understand why we are able to access it.
I'm not the average user, but of course extensions can access public information where CORS headers are correctly configured. Some addons already do this with ScratchDB and Ocular.
Can that be done even from within extension pages without host permissions? I've never actually looked to see if an extension can make any fetch it wants or only fetches to sites that it has been granted a host permission to.
Either way, I'd bet if any requests were blocked by CORS, a host permission would be required.
from scratchaddons.
DNin01
commented on July 3, 2024
So, extension pages can fetch anything, but I tried a bunch of Scratch URLs and the only one I was able to fetch from was an embeddable project page; all the others were blocked due to CORS. But other websites can access them... It's probably because extension pages' scheme is chrome-extension: but the requests we're trying to make are to https: pages.
And of course, fetches to any site that the extension has permission to access will succeed, regardless of the CORS configuration.
from scratchaddons.
WorldLanguages
commented on July 3, 2024
But other websites can access them
No...?
Also, you want to distinguish between 1) making a request, 2) making a request with credentials/cookies, and 3) being able to read the response.
from scratchaddons.
Related Issues (20)
- Better types for userscript addons HOT 8
- Link to other scripts from editor comments HOT 4
- Go into project without triggering save project button to appear HOT 11
- Customizable Block Shape: Flat hat blocks HOT 2
- transition to scratch.org HOT 5
- `editor-theme3` + `block-palette-icons`: setting color to black doesn't invert icon HOT 2
- If "hide workspace dots" settings from `editor-dark-mode` was enabled, mimic it with `workspace-dots` HOT 1
- Highlight code block hovered by the cursor HOT 2
- Remove ScratchDB addons HOT 2
- Scratch Lab theme for "Editor dark mode and customizable colors"
- Ctrl+enter to post: Multiple open comments will only try to submit first one on page HOT 2
- Popup window list all references HOT 5
- Fix copyright symbol (addon) HOT 1
- `mediarecorder` + `middle-click-popup`: CTRL+Space isn't prevented, but Shift+Click is.
- Collapse message filters HOT 2
- `middle-click-popup`: variables in nested boolean previews hide the border of operators
- `editor-theme3`: List value colour doesn't update when scrolling HOT 1
- Dynamically disabling `asset-conflict-dialog` while a dialog is shown looks weird HOT 3
- Switch costume editor theme HOT 2
- Copy selected or all costumes from one sprite to another sprite HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from scratchaddons.