Subsonic Forum

[nunya]

minisub.jpg

Any reason this app need to track data for "ALL" websites visited?

[grumpwagon]

The reason is, if he limited it to just *.subsonic.org, then people who run servers on their own domain name couldn't use the mod. If you really care, it's open source, you can download the source and trivially change the permissions to only allow it to get to your specific server, then compile it.

[nunya]

Thanks for the explanation that's all I wanted....."Access to your data on ALL websites" sounds quite ominous & nefarious that's all. As I have no programming skills except for basic copy and paste is it possible to modify the next release where a novice could make this change in settings?

[tsquillario]

Yea Google really screwed me on this one. I was forced to upgrade to the manifest v2 which tightened security. Since all the requests I make are to YOUR Subsonic server URL, and since it can be ANY URL I have to ask for ALL (https://* & http://*) access. https://github.com/tsquillario/MiniSub/blob/master/manifest.json

I think the permission really means that I can make requests to any URL to pull data in, I can't see your browsing history or track what websites you are going to. I wish that I could request permission for your server URL after the fact but it is not possible at this point.

If you don't trust me, all the source code is open and available: https://github.com/tsquillario/MiniSub

Post on the Chromium Apps Forum
https://groups.google.com/a/chromium.org/forum/#!msg/chromium-apps/Q1M1HoLpOCo/3UISbUmOFd8J

[nunya]

That sucks it's all good it's not that I don't trust you, the app is great the wording google uses "Access to your data on ALL websites" not so much lol


A clearer explanation in "laymans" terms is what I was seeking and it was given many Thanks

[jol]

If you don't trust me, ..

I do trust, but I also trust into proven security mechanisms, which usually imply to restrict what an app can access. Think about a XSS vulnerability in MiniSub that now could be used to modify any other app running in the browser (maybe not Chrome today). Nobody is perfect, and if there is one experience over the last decade, then that hackers will find new ways to attack applications..
I assume for most users the Manifest orginates from the Subsonic server, correct? I like the idea of making it conifgurable on the server (as it is now standard add-on, Sindre would probably support that), and a reasonable default would be the hostname (and protocol) used in the request? (I know the default would fail in my setup with ARP in front of the server)
Thanks & Best regards, jol

[grumpwagon]

I like MiniSub a lot, don't get me wrong, but suggesting it's popular enough to be an attack vector for a consumer PC (no one is running a music frontend on their critical production servers, right?) is a bit outlandish.

[jol]

(no one is running a music frontend on their critical production servers, right?).

Likely not, at least not experts knowing what they do..

popular enough to be an attack vector for a consumer PC ... is a bit outlandish.

Why? Are you using a different PC for Subsonic and for home banking or similar applications? And lots of attackware try different exploits until they succeed.
You can call me paranoid, but I would never click Re-Enable in that prompt and yet assume all of my family members would do (not sure if they can, they are not admins on their respective PCs).
Best regards, jol

[tsquillario]

(no one is running a music frontend on their critical production servers, right?).

Likely not, at least not experts knowing what they do..

popular enough to be an attack vector for a consumer PC ... is a bit outlandish.

Why? Are you using a different PC for Subsonic and for home banking or similar applications? And lots of attackware try different exploits until they succeed.
You can call me paranoid, but I would never click Re-Enable in that prompt and yet assume all of my family members would do (not sure if they can, they are not admins on their respective PCs).
Best regards, jol

If anything you should be worried about your Subsonic server getting hacked, especially if your not using https. If I could design the App a different way to not have to prompt you I would. However Google doesn't allow you to specify the URL for ajax requests after the fact, you can only set them statically in the manifest. Don't use it man, no one is forcing you.

[jol]

Why? Are you using a different PC for Subsonic and for home banking or similar applications?

Just to be crystal clear: I am writing about a PC to listen to music (whatever client), not to run the Subsonic server.

If anything you should be worried about your Subsonic server getting hacked, especially if your not using https.

I am using https. http is blocked from the Internet. My familiy is not administrator. Music is the data I worry least about on my server (and also on my client). I am using Bitlocker, VPN, and I guess I know what I am doing (most of the time). However, I don´t expect all users to know what they are doing.

If I could design the App a different way to not have to prompt you I would. However Google doesn't allow you to specify the URL for ajax requests after the fact, you can only set them statically in the manifest. Don't use it man, no one is forcing you.

I assume the 95% scenario is MiniSub being downloaded from the Subsonic server, correct? Then why don´t you generate the Manifest on the server with the exact URL required? I haven´t seen this prompt in any of the apps I used, but plenty of them support Ajax and run on various servers.

Don't use it man, no one is forcing you.

Indeed that would be the consequence if I (continue to) get the popup. The warning is there for good reasons, and I am taking security warnings serious. Unfortunately I know most users don´t.
Best regards, jol

[tsquillario]

I assume the 95% scenario is MiniSub being downloaded from the Subsonic server, correct? Then why don´t you generate the Manifest on the server with the exact URL required? I haven´t seen this prompt in any of the apps I used, but plenty of them support Ajax and run on various servers.

The manifest only applies if you are installing this as a Chrome App from the Chrome Web Store. You have to manually create the manifest.json file and upload it to the Store. It cannot be dynamically generated. You find me an app that lets you specify your server URL and doesn't require the same permissions and I'd be glad to redesign things in that way.

I've got a thread on the Chrome app developer forum:
https://groups.google.com/a/chromium.org/forum/?fromgroups=#!topic/chromium-apps/Q1M1HoLpOCo

[jol]

You find me an app that lets you specify your server URL and doesn't require the same permissions and I'd be glad to redesign things in that way.

Thanks for challenging me. I learned something. But I cannot find an app, imho the permission concept of the chrome extensions container is just broken.

Chrome extensions are evil. Chrome extensions, if you've never done them, it's almost like they were invented for banking Trojans.

http://www.informationweek.com/security/application-security/google-chrome-extensions-6-security-fact/232700243
This is not blaming you, the container is broken. But the consequence is I have to ask you to reconsider whether this is an adequate platform, and I would not recommend any chrome extension to anyone. Downloading from a Subsonic server still looks like a much better solution without any security issue implied by the platform.
Best regards, jol