[Copy PlainText] Why new permission?

[Tragen]

The new version needs "Download files and read and modify the browser’s download history".
Why?

[erosman]

Already #374

I added the option to export preferences which requires the Download permission, since v1.13 has custom Find & Replace, with Regular Expression support, which some users may prefer to have a back-up for.

It is also explained in add-on description under "Permissions Explanation:"

[ctp9]

I am glad somebody asked... because I was wondering the same thing. Is this new permission safe in the long run? Does it have the potential to be exploited by hackers to gain access to users' systems? Seems sort of unnecessary for such an extension that only copies and pastes plain text...

[erosman]

Is this new permission safe in the long run?

Permissions cover a Firefox API. The explanation of the permission sometimes sounds more daunting that what it really is.

Download Permission & API

• Allows extension to save a file
  • If a location isn't set in Firefox Settings ➜ General ➜ Files and Applications ➜ Downloads ➜ Save files to there will be a pop-up to ask the user where to save it, OR cancel it
  • If above location is set
    • If extension code is set to ask, there will be a pop-up to ask user where to save it (as in Copy Plain Text), OR cancel it
    • If extension code isn't set to ask, it will be saved in above location only
• Allows extension to read & add/delete items in Download history

None of the above pose a significant security risk for the users. Files can ONLY be saved to the location set by the user. Additionally, extension code is checked by AMO (addons.mozilla.org) reviewer for security issues.

📌 Furthermore, in case of RECOMMENDED extensions, the code is also checked by AMO reviewer admin team before allowing it on the AMO.

Does it have the potential to be exploited by hackers to gain access to users' systems?

Permission is only given to the extension. Outside sources, e.g. hackers or other extensions, don't have to access to it.
Additionally, as explained above, the Download permission can only save a file via Firefox (not directly). Extension has no access to the users' system.

Seems sort of unnecessary for such an extension that only copies and pastes plain text...

As mentioned in previous post, v1.13 has a powerful new Custom Find & Replace features. Users can now add many more operations to the Copy & Paste to alter the text. Each entry can be a simple change 'abc' to 'xyz' or a complicated Regular Expressions. Users who set up such custom replace might want to back up and/or share those settings. That is the reason for the feature to save extension settings to computer.

📌 There is only ONE permission that has the potential to access to users' system via a 3rd party application (requires installation of the said 3rd party application by the user for it to work) and that is "Exchange messages with programs other than Firefox". None of the other extension permissions allow access to user's system.

Please note that almost all of the extensions with some preferences, have the feature to save those preferences, and thus require Download permission.

---

Here is the Custom section from the Help.

Custom

Click Add to enter new custom Find & Replace. You can enter text (global & case-insensitive), or Regular Expression in the Find box. Invalid patterns are marked when saving.

• ➕ Add
  Click Add button to add a new entry

• Replace
  Replace the Find & Replace entries and it will be replaced when saved

• Delete
  Clear the Find entry and it will be removed when saved

Find & Replace Examples

Find Pattern	Replace Pattern
Hello World	Good Morning
/Hello World/	Good Morning
/Hello World/i	Good Morning
/Hello\s+World/gi	Good Morning
/Hello\s+(World)/i	Bye $1

Preferences: Import/Export

You can import/export Preferences (for backup or share) from/to a local file on your computer.

Import is non-destructive. Click save to apply the new settings.

[Tragen]

Thanks for clarifying why the permission is needed. Very helpful

[erosman]

v1.15

• Changed "<all_urls>" and "downloads" to optional permissions