-
-
Notifications
You must be signed in to change notification settings - Fork 646
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added security and privacy note for add-ons to the user guide #16311
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not related to the content of the PR, but please don't submit PR's from the master branch of your fork. This will inevitably introduce difficulties for you later on.
- Read the description carefully. Does the add-on need questionable permissions? Does it track data? Does it share sensitive data with other sources that you don’t trust? | ||
- Check out the [community reviews #AddonStoreReviews] for the add-on. Are there any complaints about the add-on? Are there any reports about data being taken, or for anything that makes you feel unsafe? | ||
- The risk of vulnerabilities increases the more add-ons you installed. So be careful to keep the overview of the sources your add-ons come from. | ||
- If possible, check the permissions the add-on requests. If you don’t feel safe about a permission the add-on needs, maybe it is better to uninstall it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How I am supposed to do this? Honestly I'd suggest to remove mention of permissions until and unless NVDA introduces a permissions system for add-ons.
@@ -321,6 +321,7 @@ Before you're able to press the Continue button you will have to use the checkbo | |||
There will also be a button present to review the add-ons that will be disabled. | |||
Refer to the [incompatible add-ons dialog section #incompatibleAddonsManager] for more help on this button. | |||
After installation, you are able to re-enable incompatible add-ons at your own risk from within the [Add-on Store #AddonsManager]. | |||
But note that add-ons might introduce vulnerabilities, so check out the [note on security and privacy #AddonSecurityandPrivacy] to make sure you have all information needed before installing them. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Starting the sentence with 'but' seems strange. Perhaps something like:
But note that add-ons might introduce vulnerabilities, so check out the [note on security and privacy #AddonSecurityandPrivacy] to make sure you have all information needed before installing them. | |
Please note that add-ons might introduce vulnerabilities, so check out the [note on security and privacy #AddonSecurityandPrivacy] to make sure you have all information needed before installing them. |
cc @XLTechie for a native English speaker opinion.
++ Note on security and privacy when using Add-ons ++[AddonSecurityandPrivacy] | ||
Installing add-ons in NVDA leads to integration of external code into NVDA's functionality in order to enhance NVDA or make new features possible. | ||
Add-ons can also use external libraries and third party services to serve the purpose and provide the features for which they have been developed. | ||
Add-ons can be developed by every person or company, and the review process for these external feature providers happens when they are submitted to the NVDA’s official add-on store. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since add-on store was introduced review become optional. As a result most add-ons are not reviewed at all.
Add-ons can also use external libraries and third party services to serve the purpose and provide the features for which they have been developed. | ||
Add-ons can be developed by every person or company, and the review process for these external feature providers happens when they are submitted to the NVDA’s official add-on store. | ||
|
||
The review process of add-ons is still in development, so most of add-ons are not officially reviewed yet. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
'officially' here implies 'by NV Access', which was never the case and probably never would.
- Insecure network connections | ||
- Files stored with insecure file permissions or in an unprotected location | ||
- Sensitive information written to an easily available log file | ||
- Web browser vulnerabilities |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This risk seems irrelevant to NVDA add-ons.
Closing this one in favor of #16316. |
Link to issue number:
n/a
Summary of the issue:
In many discussions, especially in corporate environments but also when users of other screen readers change to NVDA, there is no common perception of security and privacy status when using add-ons throughout the community of NVDA users.
Description of user facing changes
Users will get a common sense for the perception of the status of security and privacy when using add-ons.
Description of development approach
Discussion #16241 provides more details and current developments.
Testing strategy:
Tested that the formating of the text appears correctly in the user guide, including the link to the community review section.
Known issues with pull request:
None
Code Review Checklist: