[GH-ISSUE #1637] Permission or Documentation Problem: Browser History Access Requested #1085

New issue

Closed

opened 2026-02-25 22:38:57 +03:00 by kerem · 6 comments

kerem commented 2026-02-25 22:38:57 +03:00

Owner

Copy link

Originally created by @gohrner on GitHub (Jun 12, 2024).
Original GitHub issue: https://github.com/floccusaddon/floccus/issues/1637

Which version of floccus are you using?

5.2.0.3

How many bookmarks do you have, roughly?

50

Are you using other means to sync bookmarks in parallel to floccus?

No

Sync method

WebDAV

Which browser are you using? In case you are using the phone App, specify the Android or iOS version and device please.

Chromium

Which version of Nextcloud Bookmarks are you using? (if relevant)

--

Which version of Nextcloud? (if relevant)

--

What kind of WebDAV server are you using? (if relevant)

Apache httpd

Describe the Bug

Today, Floccus was blocked by Chromium, as it seems to require an additional permission:

I didn't find info about it in the release notes, and this new permission is not documented:

https://floccus.org/guides/

Permission	Explanation
storage, unlimitedStorage	Necessary for maintaining a cache and mappings between server and browser bookmarks
alarms	Necessary for triggering synchronization in regular intervals
bookmarks	Necessary for creating and reading bookmarks
Unlimited web access	Necessary for accessing your self-hosted server. This cannot be limited, because everybody's server has a different URL. Unfortunately, the way webextensions work currently, floccus also gets access to all the data the browser has collected on those websites. However, floccus makes no use of that data and doesn't in any way collect information about you.
identity	Necessary for connecting with Google Drive

So I wondered if this is legit - it probably is, but there also have been more than enough reports of hijacked extensions (or whole Open Source projects, see liblzma), so I wanted to be sure.

Expected Behavior

New permissions required to use the browser extension should be documented and also mentioned in the release notes.

To Reproduce

I really didn't do anything and it broke, so I assume it's sufficient to install an older release of the Floccus Chromium extension and let the auto-update do its job.

Debug log provided

• I have provided a debug log file

Originally created by @gohrner on GitHub (Jun 12, 2024). Original GitHub issue: https://github.com/floccusaddon/floccus/issues/1637 ### Which version of floccus are you using? 5.2.0.3 ### How many bookmarks do you have, roughly? 50 ### Are you using other means to sync bookmarks in parallel to floccus? No ### Sync method WebDAV ### Which browser are you using? In case you are using the phone App, specify the Android or iOS version and device please. Chromium ### Which version of Nextcloud Bookmarks are you using? (if relevant) -- ### Which version of Nextcloud? (if relevant) -- ### What kind of WebDAV server are you using? (if relevant) Apache httpd ### Describe the Bug Today, Floccus was blocked by Chromium, as it seems to require an additional permission:  I didn't find info about it in the release notes, and this new permission is not documented: https://floccus.org/guides/ ```plain Permission Explanation storage, unlimitedStorage Necessary for maintaining a cache and mappings between server and browser bookmarks alarms Necessary for triggering synchronization in regular intervals bookmarks Necessary for creating and reading bookmarks Unlimited web access Necessary for accessing your self-hosted server. This cannot be limited, because everybody's server has a different URL. Unfortunately, the way webextensions work currently, floccus also gets access to all the data the browser has collected on those websites. However, floccus makes no use of that data and doesn't in any way collect information about you. identity Necessary for connecting with Google Drive ``` So I wondered if this is legit - it probably is, but there also have been more than enough reports of hijacked extensions (or whole Open Source projects, see `liblzma`), so I wanted to be sure. ### Expected Behavior New permissions required to use the browser extension should be documented and also mentioned in the release notes. ### To Reproduce I really didn't do anything and it broke, so I assume it's sufficient to install an older release of the Floccus Chromium extension and let the auto-update do its job. ### Debug log provided - [ ] I have provided a debug log file

kerem 2026-02-25 22:38:57 +03:00

• closed this issue
• added the
  question
  label

kerem commented 2026-02-25 22:38:58 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Jun 12, 2024):

Hello 👋

Thank you for taking the time to open this issue with floccus. I know it's frustrating when software
causes problems. You have made the right choice to come here and open an issue to make sure your problem gets looked at
and if possible solved.
I'm Marcel and I created floccus and have been maintaining it ever since.
I currently work for Nextcloud which leaves me with less time for side projects like this one
than I used to have.
I still try to answer all issues and if possible fix all bugs here, but it sometimes takes a while until I get to it.
Until then, please be patient.
Note also that GitHub is a place where people meet to make software better together. Nobody here is under any obligation
to help you, solve your problems or deliver on any expectations or demands you may have, but if enough people come together we can
collaborate to make this software better. For everyone.
Thus, if you can, you could also have a look at other issues to see whether you can help other people with your knowledge
and experience. If you have coding experience it would also be awesome if you could step up to dive into the code and
try to fix the odd bug yourself. Everyone will be thankful for extra helping hands!
One last word: If you feel, at any point, like you need to vent, this is not the place for it; you can go to the forum,
to twitter or somewhere else. But this is a technical issue tracker, so please make sure to
focus on the tech and keep your opinions to yourself.

I look forward to working with you on this issue
Cheers 💙

<!-- gh-comment-id:2162323585 --> @github-actions[bot] commented on GitHub (Jun 12, 2024): Hello :wave: Thank you for taking the time to open this issue with floccus. I know it's frustrating when software causes problems. You have made the right choice to come here and open an issue to make sure your problem gets looked at and if possible solved. I'm Marcel and I created floccus and have been maintaining it ever since. I currently work for Nextcloud which leaves me with less time for side projects like this one than I used to have. I still try to answer all issues and if possible fix all bugs here, but it sometimes takes a while until I get to it. Until then, please be patient. Note also that GitHub is a place where people meet to make software better *together*. Nobody here is under any obligation to help you, solve your problems or deliver on any expectations or demands you may have, but if enough people come together we can collaborate to make this software better. For everyone. Thus, if you can, you could also have a look at other issues to see whether you can help other people with your knowledge and experience. If you have coding experience it would also be awesome if you could step up to dive into the code and try to fix the odd bug yourself. Everyone will be thankful for extra helping hands! One last word: If you feel, at any point, like you need to vent, this is not the place for it; you can go to the forum, to twitter or somewhere else. But this is a technical issue tracker, so please make sure to focus on the tech and keep your opinions to yourself. I look forward to working with you on this issue Cheers :blue_heart:

kerem commented 2026-02-25 22:38:58 +03:00

Author

Owner

Copy link

@marcelklehr commented on GitHub (Jun 12, 2024):

Ah, I'm sorry for the lack of documentation. I've updated the website and the release changelog: https://github.com/floccusaddon/floccus/releases/tag/v5.2.0

<!-- gh-comment-id:2162364090 --> @marcelklehr commented on GitHub (Jun 12, 2024): Ah, I'm sorry for the lack of documentation. I've updated the website and the release changelog: https://github.com/floccusaddon/floccus/releases/tag/v5.2.0

kerem commented 2026-02-25 22:38:58 +03:00

Author

Owner

Copy link

@BloodyIron commented on GitHub (Jun 13, 2024):

That doesn't include the v5.2.0.3 sub-version though. And what's up with this aspect? (it can now) "read and change all your data on all websites".

I'm re-enabling it myself, but making these aspects forced and not optional is concerning to me. Something like this should be off by default and an option I can choose to enable. Is that not possible here?

As in, I probably care about the click history stuff, that sounds useful. But the... "change all your data on all websites" part, really do want to see an explanation on that please.

<!-- gh-comment-id:2166064333 --> @BloodyIron commented on GitHub (Jun 13, 2024): That doesn't include the v5.2.0.3 sub-version though. And what's up with this aspect? (it can now) "read and change all your data on all websites". I'm re-enabling it myself, but making these aspects forced and not optional is concerning to me. Something like this should be off by default and an option I can choose to enable. Is that not possible here? As in, I probably care about the click history stuff, that sounds useful. But the... "change all your data on all websites" part, really do want to see an explanation on that please.

kerem commented 2026-02-25 22:38:58 +03:00

Author

Owner

Copy link

@marcelklehr commented on GitHub (Jun 13, 2024):

That doesn't include the v5.2.0.3 sub-version though

So, due to technical limitations, v5.2.0.3 is the same as v5.2.0; v5.2.0.{0-2} were beta versions.

read and change all your data on all websites

This has always been there. I wrote it down as "Unlimited web access". Due to how browsers implement this I can only ask for one permission to both send requests to all possible web hosts as well as read and change data on all websites. There is no distinction.

<!-- gh-comment-id:2166447552 --> @marcelklehr commented on GitHub (Jun 13, 2024): > That doesn't include the v5.2.0.3 sub-version though So, due to technical limitations, v5.2.0.3 is the same as v5.2.0; v5.2.0.{0-2} were beta versions. > read and change all your data on all websites This has always been there. I wrote it down as "Unlimited web access". Due to how browsers implement this I can only ask for one permission to both *send requests to all possible web hosts* as well as *read and change data on all websites*. There is no distinction.

kerem commented 2026-02-25 22:38:58 +03:00

Author

Owner

Copy link

@BloodyIron commented on GitHub (Jun 13, 2024):

That doesn't include the v5.2.0.3 sub-version though

So, due to technical limitations, v5.2.0.3 is the same as v5.2.0; v5.2.0.{0-2} were beta versions.

read and change all your data on all websites

This has always been there. I wrote it down as "Unlimited web access". Due to how browsers implement this I can only ask for one permission to both send requests to all possible web hosts as well as read and change data on all websites. There is no distinction.

1. Thanks for clarifying on the versioning, I see how that comes to be. Maybe make the "release" version (next time?) match the non-beta version to avoid confusion? :P So in this case in the releases section I'd think it reasonable to see v5.2.0.3 so that I know it matches what I'm running on my compie. I don't necessarily need to see the beta versions in the "releases" section of github, but the "prod" style versions would be appreciated in general please. :)
2. I hear you on the limited options on your end, and appreciate you clarifying on that. I don't think you necessarily inappropriately communicated the state of things in the release notes, just due to the nuances you just described there was a touch of alarm in my experience. And yeah it sounds like your options are rather limited, I empathise with your side of that.

Thanks for clarifying on all that and continuing your work on this tool! I love this extension and use it constantly on multiple computers. Yay! :D

<!-- gh-comment-id:2166482764 --> @BloodyIron commented on GitHub (Jun 13, 2024): > > That doesn't include the v5.2.0.3 sub-version though > > So, due to technical limitations, v5.2.0.3 is the same as v5.2.0; v5.2.0.{0-2} were beta versions. > > > read and change all your data on all websites > > This has always been there. I wrote it down as "Unlimited web access". Due to how browsers implement this I can only ask for one permission to both _send requests to all possible web hosts_ as well as _read and change data on all websites_. There is no distinction. 1. Thanks for clarifying on the versioning, I see how that comes to be. Maybe make the "release" version (next time?) match the non-beta version to avoid confusion? :P So in this case in the releases section I'd think it reasonable to see v5.2.0.3 so that I know it matches what I'm running on my compie. I don't _necessarily_ need to see the beta versions in the "releases" section of github, but the "prod" style versions would be appreciated in general please. :) 2. I hear you on the limited options on your end, and appreciate you clarifying on that. I don't think you necessarily inappropriately communicated the state of things in the release notes, just due to the nuances you just described there was a touch of alarm in my experience. And yeah it sounds like your options are rather limited, I empathise with your side of that. Thanks for clarifying on all that and continuing your work on this tool! I love this extension and use it constantly on multiple computers. Yay! :D

kerem commented 2026-02-25 22:38:58 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Jun 14, 2025):

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

<!-- gh-comment-id:2972032312 --> @github-actions[bot] commented on GitHub (Jun 14, 2025): This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/fast-xml-parser-5.7.0

dependabot/npm_and_yarn/xmldom/xmldom-0.8.13

dependabot/npm_and_yarn/protocol-buffers-schema-3.6.1

master

fix/xml-entity-limit

all-contributors/add-aaryanvangari

fix/subscanner-residuals

test/subscanner-residuals

test/problematic-seeds

perf/improve-build-time

perf/native-startup

fix/continuation-null-cheks

dropbox

fix/clear-indexeddb-after-sync

dependabot/npm_and_yarn/vuetify-3.11.4

fix/slim-down-continuation

test/background-worker

refactor/fail-build-if-native-uses-browser-api

feat/improve-failsafe-wording

dependabot/npm_and_yarn/multi-0520f5abeb

feat/release-build

fix/more-mapping-errors

dependabot/npm_and_yarn/intl-messageformat-10.7.18

enh/split-sync-interval-and-auto-sync

enh/gdrive-timeout

feat/safari

feat/capabilities

feat/xxhash3

feat/murmur3

fix/gdrive-error-handling

fix/correctness-fixes

fix/linkwarden

feat/orion

fix/nocache-tests

feat/tab-groups

fix/git-never-force-push

fix/xbel-parse-errors

fix/git-push-errors

fix/chrome-main-folder-ids

dependabot/npm_and_yarn/multi-a9f852c250

chore/use-local-linkwarden-container-in-ci

all-contributors/add-balthanon

dependabot/npm_and_yarn/multi-7c5da94753

fix/revert-indexeddb-logger

fix/acknowlegde-abuse

dependabot/npm_and_yarn/eslint-import-resolver-webpack-0.13.10

fix/rip-out-continuations

fix/webdav-filesize-depth-header

fix/changes-while-syncing

fix/addition-failsafe-minimum

feat/indexeddb-logs

feat/addition-failsafe

fix/webdav-check-filesize

fix/orion

fix/bounded-exponential-backoff

fix/dont-repeat-on-sync-fail

fix-tests

fix/speedup-tab-update-cb

all-contributors/add-andybalaam

all-contributors/add-macrogreg

fix/parse-tag-value

fix/cleanup-deps

refactor/partial-set-data-with-lock

fix/nc-bookmarks-update

fix/move-stabiltiy-same-titled-folders

fix/ios-share-extension

fix/update-selenium

fix/chrome-net-errors

enh/nc-bm-js

sentry

fix/unidirectional-scanner-shoudl-use-mappings

enh/interrupts

dependabot/npm_and_yarn/vue-loader-17.4.2

ci/build-ios

enh/manifest-v3

release/4.19.0

fix/codeql

fix/google-drive-ios

all-contributors/add-dmotte

fix/unidirectional-sync

fix/interrupts

all-contributors/add-pinpontitit

all-contributors/add-dsiminiuk

test/old-apis

test/interrupts-on-nextcloud-bookmarks

feature/no-hashing-in-diff

feature/improve-diff-performance

capacitor

enh/rename-nextcloud-folders

fix/complex-hierarchy-reversal-2

tests/coverage

feature/google-drive

dependabot/npm_and_yarn/eslint-plugin-vue-7.6.0

fix/crypto

dependabot/npm_and_yarn/sass-1.32.7

dependabot/npm_and_yarn/css-loader-5.0.2

dependabot/npm_and_yarn/webpack-cli-4.5.0

fix/performance-hash-caching

dependabot/npm_and_yarn/eslint-plugin-standard-5.0.0

dependabot/npm_and_yarn/sass-loader-10.1.1

dependabot/npm_and_yarn/eslint-import-resolver-webpack-0.13.0

dependabot/npm_and_yarn/webpack-merge-5.7.3

dependabot/npm_and_yarn/p-queue-6.6.2

dependabot/npm_and_yarn/throttle-debounce-3.0.1

fix/lww-move-test

fix/overwrite-strategy

fix/root-folder-sync

enh/local-hash-cash

test/ci

ui/vue

cookie-hack

fix/travis

rollup

refactor/ui

webdav

refactor/modularize

v5.9.1

v5.9.0

v5.8.6

v5.8.5

v5.8.4

v5.8.3

v5.8.2

v5.8.1

v5.8.0

v5.7.0

v5.6.0

v5.5.6

v5.5.5

v5.5.4

v5.5.3

v5.5.2

v5.5.1

v5.5.0

v5.4.5

v5.4.4

v5.4.3

v5.4.2

v5.4.2-alpha.1

v5.4.1

v5.4.0

v5.3.4

v5.3.3

v5.3.1

v5.3.0

v5.3.0-beta.1

v5.2.7

v5.2.6

v5.2.5

v5.2.4

v5.2.3

v5.2.2

v5.2.1

v5.2.0

v5.2.0-beta.3

v5.2.0-beta.2

v5.2.0-beta.1

v5.1.7

v5.1.6

v5.1.5

v5.1.4

v5.1.3

5.1.3-beta.1

v5.1.2

v5.1.1

v5.1.0

v5.0.12

v5.0.12-beta.1

v5.0.11

v5.0.10

v5.0.9

v5.0.8

v5.0.7

v5.0.6

v5.0.5

v5.0.4

v5.0.3

v5.0.2

v5.0.1

v5.0.0

v4.19.1

v4.19.0

v4.18.1

v4.18.0

v4.17.1

v4.17.0

v4.16.0

v4.15.0

v4.14.0

v4.13.1

v4.13.0

v4.12.0

v4.11.0

v4.11.0-alpha.0

v4.10.1

v4.10.0

v4.9.0

v4.8.7

v4.8.6

v4.8.4

v4.8.3

v4.8.2

v4.8.1

v4.8.0

v4.7.0

v4.6.4

v4.6.3

v4.6.2

v4.6.1

v4.6.0

v4.5.0

v4.4.10

v4.4.9

v4.4.8

v4.4.7

v4.4.6

v4.4.5

v4.4.4

v4.4.3

v4.4.2

v4.4.1

v4.4.0

v4.4.0-rc1

v4.3.0

v4.2.6

v4.2.5

v4.2.4

v4.2.3

v4.2.2

v4.2.1

v4.2.0

v4.2.0-beta.4

v4.2.0-beta.3

v4.2.0-beta.2

v4.2.0-beta.1

v4.1.0

v4.0.4

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v4

v4.0.0-alpha.3

v4.0.0-alpha.2

v4.0.0-alpha.1

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.2

v3.4.1

v3.4.0

v3.4.0-beta.3

v3.4.0-beta.2

v3.4.0-beta.1

v3.3.2

v3.3.1

v3.3.0

v3.3.0-beta.5

v3.3.0-beta.4

v3.3.0-beta.3

v3.3.0-beta.2

v3.3.0-beta.1

v3.2.16

v3.2.15

v3.2.14

v3.2.13

v3.2.12

v3.2.11

v3.2.10

v3.2.9

v3.2.8

v3.2.7

v3.2.6

v3.2.5

v3.2.4

v3.2.3

v3.2.2

v3.2.1

v3.2.0

v3.1.15

v3.1.14

v3.1.13

v3.1.12

v3.1.11

v3.1.10

v3.1.9

v3.1.8

v3.1.7

v3.1.6

v3.1.5

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.10

v3.0.9

v3.0.8

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v3.0.0-beta.9

v3.0.0-beta.8

v3.0.0-beta.7

v2.2.9

v3.0.0-beta.6

v3.0.0-beta.5

v3.0.0-beta.4

v3.0.0-beta.3

v3.0.0-beta.2

v3.0.0-beta-1

v3.0.0-alpha-1

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.0

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v2.0.0-beta.2

v1.3.4

v2.0.0-beta.1

v1.3.3

v1.3.2

v1.3.1

v1.3.0

v1.3.0-beta.5

v1.3.0-beta.4

v1.3.0-beta.3

v1.3.0-beta.2

v1.3.0-beta1

v1.2.0

v1.1.2

v1.1.1

v1.1.0

v1.0.1

v1.0.0

Labels

Clear labels   

browser-specific

  

bug

  

correctness issues

  

enhancement

  

feature: Google Drive

  

feature: Linkwarden

  

feature: git

  

feature: nextcloud-bookmarks

  

feature: tabs

  

feature: webdav

  

help wanted

  

native-app

  

priority: high

  

priority: low

  

priority: medium

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question

  

stale

  

upstream

  

waiting for more information

  

wontfix

  

🙁 Not following issue template

No labels

browser-specific

bug

correctness issues

enhancement

feature: Google Drive

feature: Linkwarden

feature: git

feature: nextcloud-bookmarks

feature: tabs

feature: webdav

help wanted

native-app

priority: high

priority: low

priority: medium

pull-request

question

question

stale

upstream

waiting for more information

wontfix

🙁 Not following issue template

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/floccus#1085

No description provided.