Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added security and privacy note for add-ons to the user guide #16311

Closed
wants to merge 2 commits into from

Conversation

Adriani90
Copy link
Collaborator

Link to issue number:

n/a

Summary of the issue:

In many discussions, especially in corporate environments but also when users of other screen readers change to NVDA, there is no common perception of security and privacy status when using add-ons throughout the community of NVDA users.

Description of user facing changes

Users will get a common sense for the perception of the status of security and privacy when using add-ons.

Description of development approach

Discussion #16241 provides more details and current developments.

Testing strategy:

Tested that the formating of the text appears correctly in the user guide, including the link to the community review section.

Known issues with pull request:

None

Code Review Checklist:

  • Documentation:
    • User Documentation
  • Testing:
    • Unit tests
    • System (end to end) tests
    • Manual testing
  • UX of all users considered:
    • Speech
    • Braille
    • Low Vision
    • Different web browsers
    • Localization in other languages / culture than English
  • API is compatible with existing add-ons.
  • Security precautions taken.

@Adriani90 Adriani90 requested a review from a team as a code owner March 15, 2024 19:32
@Adriani90 Adriani90 requested a review from Qchristensen March 15, 2024 19:32
Copy link
Contributor

@lukaszgo1 lukaszgo1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not related to the content of the PR, but please don't submit PR's from the master branch of your fork. This will inevitably introduce difficulties for you later on.

- Read the description carefully. Does the add-on need questionable permissions? Does it track data? Does it share sensitive data with other sources that you don’t trust?
- Check out the [community reviews #AddonStoreReviews] for the add-on. Are there any complaints about the add-on? Are there any reports about data being taken, or for anything that makes you feel unsafe?
- The risk of vulnerabilities increases the more add-ons you installed. So be careful to keep the overview of the sources your add-ons come from.
- If possible, check the permissions the add-on requests. If you don’t feel safe about a permission the add-on needs, maybe it is better to uninstall it.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How I am supposed to do this? Honestly I'd suggest to remove mention of permissions until and unless NVDA introduces a permissions system for add-ons.

@@ -321,6 +321,7 @@ Before you're able to press the Continue button you will have to use the checkbo
There will also be a button present to review the add-ons that will be disabled.
Refer to the [incompatible add-ons dialog section #incompatibleAddonsManager] for more help on this button.
After installation, you are able to re-enable incompatible add-ons at your own risk from within the [Add-on Store #AddonsManager].
But note that add-ons might introduce vulnerabilities, so check out the [note on security and privacy #AddonSecurityandPrivacy] to make sure you have all information needed before installing them.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Starting the sentence with 'but' seems strange. Perhaps something like:

Suggested change
But note that add-ons might introduce vulnerabilities, so check out the [note on security and privacy #AddonSecurityandPrivacy] to make sure you have all information needed before installing them.
Please note that add-ons might introduce vulnerabilities, so check out the [note on security and privacy #AddonSecurityandPrivacy] to make sure you have all information needed before installing them.

cc @XLTechie for a native English speaker opinion.

++ Note on security and privacy when using Add-ons ++[AddonSecurityandPrivacy]
Installing add-ons in NVDA leads to integration of external code into NVDA's functionality in order to enhance NVDA or make new features possible.
Add-ons can also use external libraries and third party services to serve the purpose and provide the features for which they have been developed.
Add-ons can be developed by every person or company, and the review process for these external feature providers happens when they are submitted to the NVDA’s official add-on store.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since add-on store was introduced review become optional. As a result most add-ons are not reviewed at all.

Add-ons can also use external libraries and third party services to serve the purpose and provide the features for which they have been developed.
Add-ons can be developed by every person or company, and the review process for these external feature providers happens when they are submitted to the NVDA’s official add-on store.

The review process of add-ons is still in development, so most of add-ons are not officially reviewed yet.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

'officially' here implies 'by NV Access', which was never the case and probably never would.

- Insecure network connections
- Files stored with insecure file permissions or in an unprotected location
- Sensitive information written to an easily available log file
- Web browser vulnerabilities
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This risk seems irrelevant to NVDA add-ons.

Adriani90 added a commit to Adriani90/nvda that referenced this pull request Mar 17, 2024
@Adriani90
Copy link
Collaborator Author

Closing this one in favor of #16316.

@Adriani90 Adriani90 closed this Mar 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants