Hacker News new | ask | show | jobs
by philsnow 764 days ago
In another post, you mention that there’s a header that can include an https link to POST a request to unsubscribe. So this extension and anything like it must be able to read email and send POSTs to arbitrary endpoints[0].

> ensuring your privacy

But only if we trust the extension author (and the authors of all of the transitive dependencies) to be neither malicious nor incompetent… right? I don’t know of resources that explain exactly what actions each permission in the manifest grants the extension to perform, nor a characterization of the execution environment of extensions. Do all browsers handle these matters similarly? Does some browser provide any more isolation or sandboxing than any other?

Edit: by no means did I mean to throw shade or cast doubt on your extension, I’m just grumpy in general and in particular about browser extensions, since nowadays “the browser is the OS”.

[0] or maybe there’s a gmail api that does it for you, and this extension actually can’t make arbitrary http connections?
1 comments
thefisola 764 days ago
I might be misinterpreting your question but I'll try to explain further, hopefully it makes sense:

So the way most email cleaning tools work is:

- Scan your emails for all your subscriptions - via Gmail API - Each subscription has a link, that link is what is used to unsubscribe the link can either be in the email header or email body - This can be a POST request or a GET request, in some complex cases a mail send to unsubscribe - With this link for each mailing list, mass unsubscription can happen

So the main difference here is, other tools do this on the third-party servers. InboxPurge does this on your browser/device (specifically the email scanning bit). Making HTTP requests to the Gmail API from your device.

Yes, it's also possible to build a browser extension that does this on a third-party server.

*Other things happen depending on the email cleaning tool but I've tried to simplify to explain better.

Hope it was helpful.

You can find the list of browser permissions a Chrome extension can request for here: https://developer.chrome.com/docs/extensions/reference/manif...

link