This post was originally posted on my Ko-fi page.
On 1 July 2024, you may have witnessed Tab Shelf 2024.3.0 being released then quickly withdrawn within hours. You may or may not have received the 2024.3.0 update. Some may have received the 2024.3.1 update, which was just a re-versioned version 2024.2.2.
I'd like to acknowledge that version 2024.3.0's permissions were an overreach for many. In the 24 hours after version 2024.3.0's release, I made sure to listen to users and withdrew the release as soon as possible. Then made changes to remove reliance on the permissions that caused the most concern.
Prior to version 2024.3.0, Tab Shelf only relied on the following permissions:
- tabs
- tabGroups
- storage
- sidePanel
- favicon
- commands
In version 2024.3.0, the following additional permissions were added to Tab Shelf:
- bookmarks
- identity
- identity.email
- clipboardRead
- clipboardWrite
The bookmarks permission is required for a new feature in grouping rules, whereby a user could now select a site from their bookmarks to add to a rule. This permission will remain in Tab Shelf.
The identity and identity email permissions likely caused the most concern for users. One new feature was syncing your settings and grouping rules via your browser account. I wanted to disable the sync settings in the Settings and Grouping Rules pages so as to not confuse users who may not be logged-in to an account in their browser.
I would like to make it clear that Tab Shelf did NOT copy and store the user's email address. Google Chrome's Extensions API does NOT have a clean way to just check if the user is logged in or not by returning a TRUE or FALSE value. I myself did not want Tab Shelf to have access to the user's email address, but believed that it would be more beneficial to show the true state of sync eligibility.
As you can see in the screenshot below (a change comparison between versions 2024.3.0 and 2024.3.2, respectively), on the left is the sole place in Tab Shelf's code base where the user identity API is called. All I did was to check if an email address was present (i.e. its length was greater than 0). You can see on the right that this has since been removed.
As of version 2024.3.2, the user's logged-in state will not be checked and the sync toggle in Settings and Grouping Rules will always be available. If the user is not logged into their browser, then it will simply not sync Tab Shelf's settings or rules anywhere.
As for the clipboard permissions, they were being used by a button in the Settings and Grouping Rules import view to allow the user to paste a copied exported settings/rules value from another source. As of version 2024.3.2, the context menu (right-click menu) can be used to paste the exported value. The Ctrl/Cmd + V keyboard shortcut has not been affected.
Below is evidence that the offending permissions have been removed in version 2024.3.2's manifest file.
In order to rectify potential mistrust caused by this episode, I will communicate how Tab Shelf uses its Extensions API permissions much more clearly.
The privacy policy page in the Tab Shelf website has been updated to: firstly, clarify that the identity and clipboard permissions have been removed; and secondly, using a "permissions nutrition sheet", explain how the remaining permissions are being used by Tab Shelf.
https://www.tabshelf.com/privacy-policy
I would like to apologize for any panic caused by the new permissions, and inconvenience caused by the rollback. Moving forward, permissions changes will be communicated to users via the Tab Shelf website and via this Ko‑fi feed ahead of time. This will open these proposed changes to questions if you or others are unsure of the reasoning behind them.