Added security and privacy note for add-ons to the user guide #16311
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
lukaszgo1
suggested changes
Mar 16, 2024
| - Read the description carefully. Does the add-on need questionable permissions? Does it track data? Does it share sensitive data with other sources that you don’t trust? | ||
| - Check out the [community reviews #AddonStoreReviews] for the add-on. Are there any complaints about the add-on? Are there any reports about data being taken, or for anything that makes you feel unsafe? | ||
| - The risk of vulnerabilities increases the more add-ons you installed. So be careful to keep the overview of the sources your add-ons come from. | ||
| - If possible, check the permissions the add-on requests. If you don’t feel safe about a permission the add-on needs, maybe it is better to uninstall it. |
There was a problem hiding this comment.
How I am supposed to do this? Honestly I'd suggest to remove mention of permissions until and unless NVDA introduces a permissions system for add-ons.
| @@ -321,6 +321,7 @@ Before you're able to press the Continue button you will have to use the checkbo | |||
| There will also be a button present to review the add-ons that will be disabled. | |||
| Refer to the [incompatible add-ons dialog section #incompatibleAddonsManager] for more help on this button. | |||
| After installation, you are able to re-enable incompatible add-ons at your own risk from within the [Add-on Store #AddonsManager]. | |||
| But note that add-ons might introduce vulnerabilities, so check out the [note on security and privacy #AddonSecurityandPrivacy] to make sure you have all information needed before installing them. | |||
There was a problem hiding this comment.
Starting the sentence with 'but' seems strange. Perhaps something like:
Suggested change
| But note that add-ons might introduce vulnerabilities, so check out the [note on security and privacy #AddonSecurityandPrivacy] to make sure you have all information needed before installing them. | |
| Please note that add-ons might introduce vulnerabilities, so check out the [note on security and privacy #AddonSecurityandPrivacy] to make sure you have all information needed before installing them. |
cc @XLTechie for a native English speaker opinion.
| ++ Note on security and privacy when using Add-ons ++[AddonSecurityandPrivacy] | ||
| Installing add-ons in NVDA leads to integration of external code into NVDA's functionality in order to enhance NVDA or make new features possible. | ||
| Add-ons can also use external libraries and third party services to serve the purpose and provide the features for which they have been developed. | ||
| Add-ons can be developed by every person or company, and the review process for these external feature providers happens when they are submitted to the NVDA’s official add-on store. |
There was a problem hiding this comment.
Since add-on store was introduced review become optional. As a result most add-ons are not reviewed at all.
| Add-ons can also use external libraries and third party services to serve the purpose and provide the features for which they have been developed. | ||
| Add-ons can be developed by every person or company, and the review process for these external feature providers happens when they are submitted to the NVDA’s official add-on store. | ||
|
|
||
| The review process of add-ons is still in development, so most of add-ons are not officially reviewed yet. |
There was a problem hiding this comment.
'officially' here implies 'by NV Access', which was never the case and probably never would.
| - Insecure network connections | ||
| - Files stored with insecure file permissions or in an unprotected location | ||
| - Sensitive information written to an easily available log file | ||
| - Web browser vulnerabilities |
There was a problem hiding this comment.
This risk seems irrelevant to NVDA add-ons.
Adriani90
added a commit
to Adriani90/nvda
that referenced
this pull request
Mar 17, 2024
|
Closing this one in favor of #16316. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Link to issue number:
n/a
Summary of the issue:
In many discussions, especially in corporate environments but also when users of other screen readers change to NVDA, there is no common perception of security and privacy status when using add-ons throughout the community of NVDA users.
Description of user facing changes
Users will get a common sense for the perception of the status of security and privacy when using add-ons.
Description of development approach
Discussion #16241 provides more details and current developments.
Testing strategy:
Tested that the formating of the text appears correctly in the user guide, including the link to the community review section.
Known issues with pull request:
None
Code Review Checklist: