Jira Assistant Issues

View #213 on GitHub to know more details

#213 - Security warning for new permission and extension disabled in Jira Assistant v2.35 update

shridhar-tl commented on Jun 30, 2022

Hi All, I would like to answer few questions people would get in their mind while seeing the security warning. Let me try to answer all the questions.

Before I answer your questions, let me inform you about something. This permission alert is not something I would get at the time of development. Only after it is published to web store and I try to install it, I got this alert and so until few hours back I was not aware such prompt would come for existing users. So I am working on ways to overcome this issue and would keep you posted.

1. Why this new permission? This is not any new permission. This permission has been their since beginning and when installing it would have prompted you to give that permission or when accessing Jira site for the first time depending on what browser you use.

2. Why is this permission required? This extension try to access Jira API for pulling and uploading data without requesting the user for any credentials. And Jira url differs for each and ever user and so I cannot request specific url for permission request. Hence using wild card url.

3. How it was working earlier? Earlier their was an option to provide optional permission seperately and while trying to access Jira, it would seperately request for permission. But now based on the new version of browser manifest updates these host permissions are moved out of optional permission to seperate host permissions block. I had just updated to latest browser manifest as suggested by Chrome Web Store and that is the cause for this permission request.

Here is the documentation talking about this change: Chrome Manifest Migration Document: https://developer.chrome.com/docs/extensions/mv3/intro/mv3-migration/#host-permissions

Here is the change in manifest I did based on above documentation: https://github.com/shridhar-tl/jira-assistant/commit/0a30b3bb32ef4f3684a71683308544809e1285b4#diff-aecdf3da33ff1939ec4e06ea217124f23622ecfcd2bf1bd529e0822ee9bbe1ec

4. How can users believe in this extension: This is an open source extension and source code is available in GitHub. Already multiple users / companies has reviewed the source code and any one interested can have a look at it if you feel so. Additionally, everytime when I publish the extension, Chrome Web Store, Firefox Store, Edge Extension store does automated and manual source code verification for security issues. Moreover, as I mentioned already, this is not a new permission. If you had believed in Jira Assistant so far, then nothing has changed in this version so that you will have to worry about it now.

If you do not have time to review the source code and still wants to feel safe, then I have one more suggestion. You can go to extension details page and their you can change permission to allow only specific site. That way your browser would take care of your security concern. As of now I haven't manually modified this and tested it and so I am not sure if all functionalities would continue to work well. But one of the user has confirmed that he had made this changes and extension is working fine.

image

Or you can also just open network tab in Chrome Dev tools or some other 3rd Party tools and ensure it doesn't send any data to any other sites. Of course I have google analytics enabled for site which just collect usage statistic information and no personally or any other data. But I have already provided an option in advanced settings page to disable analytics as well. Hence you have multiple ways to verify if it is safe to use this tool.

Most of the tools I build including Jira Assistant is open source and is not used for any data collection or earning anything from it. In fact, the expenses incured for maintaining the support website (ie. https://www.jiraassistant.com) is personally borne by me and I don't use these tools as a source of income even for paying out that expences. This tool is built and maintained purely based on self interest and is absolutely for no gain.

Hope that helps you. Please feel free to post your questions here in case of any other issues.

shridhar-tl commented on Jun 09, 2022

Hi All,

I have posted the issues in couple of community channels and waiting for some help into this issue. Just putting it here so that user can have updated informations.

https://groups.google.com/a/chromium.org/g/chromium-extensions/c/QCvvIqS9bFE

https://support.google.com/chrome/thread/166675308?hl=en

shridhar-tl commented on Jun 11, 2022

This issue has been resolved and would be available with Jira Assistant v2.37. But this update would be installed only for chrome users above v102. Hence if any of you are using older version of chrome, you are requested to upgrade to latest version of chrome which is also recommended for your safe browsing.

shridhar-tl commented on Jun 13, 2022

This change is already published and is currently in review by Chrome Web Store. This should be approximately approved and be available for public in around 1 more day.

shridhar-tl commented on Jun 15, 2022

This fix is available in Jira Assistant v2.37 and is available for users of Chrome v102.x. Kindly update your browser before trying to upgrade to latest version of JA.