[netsharc]

I don't get it...

> With this Chrome extension, emails are not sent to any external servers.

Don't you have to send an "Unsubscribe" email? To an external server?

> All calls to the Gmail API happen locally on your device.

Aha, you mean in comparison to a "SaaS" where these things happen on a third party server...

[thefisola]

I assume you've answered your question but just to explain further:

So generally in order to actually help you mass unsubscribe from unwanted emails, most email cleaning tools handle your email data on their server. The process of parsing email data to fetching unsubscribe links or unsubscribe instructions etc..

So there's a trust problem where some tools have been caught selling user data: https://www.nytimes.com/2017/04/24/technology/personal-data-...

So the goal here with InboxPurge is to move all these processes related to your email data to your device(browser), ensuring your privacy.

[philsnow]

In another post, you mention that there’s a header that can include an https link to POST a request to unsubscribe. So this extension and anything like it must be able to read email and send POSTs to arbitrary endpoints[0].

> ensuring your privacy

But only if we trust the extension author (and the authors of all of the transitive dependencies) to be neither malicious nor incompetent… right? I don’t know of resources that explain exactly what actions each permission in the manifest grants the extension to perform, nor a characterization of the execution environment of extensions. Do all browsers handle these matters similarly? Does some browser provide any more isolation or sandboxing than any other?

Edit: by no means did I mean to throw shade or cast doubt on your extension, I’m just grumpy in general and in particular about browser extensions, since nowadays “the browser is the OS”.

[0] or maybe there’s a gmail api that does it for you, and this extension actually can’t make arbitrary http connections?

[thefisola]

I might be misinterpreting your question but I'll try to explain further, hopefully it makes sense:

So the way most email cleaning tools work is:

- Scan your emails for all your subscriptions - via Gmail API - Each subscription has a link, that link is what is used to unsubscribe the link can either be in the email header or email body - This can be a POST request or a GET request, in some complex cases a mail send to unsubscribe - With this link for each mailing list, mass unsubscription can happen

So the main difference here is, other tools do this on the third-party servers. InboxPurge does this on your browser/device (specifically the email scanning bit). Making HTTP requests to the Gmail API from your device.

Yes, it's also possible to build a browser extension that does this on a third-party server.

*Other things happen depending on the email cleaning tool but I've tried to simplify to explain better.

Hope it was helpful.

You can find the list of browser permissions a Chrome extension can request for here: https://developer.chrome.com/docs/extensions/reference/manif...