launchWebAuthFlow & trust... #7
Description
Hi, please consider removing the usage of chrome.identity.launchWebAuthFlow.
- you can replace it by either just grabbing my cookie (or however they do it)
(Live Followlist for Twitchappears to work this way) - or opening the flow in ACTUAL tabs so Addressbar & similar are visible.
-- "serverless" there was some black magic about return-urls&extensionIDs,
-- "with server" a simple JS landing to trigger achrome.runtime.sendMessage(extensionID, ... )should do it
Users have been trained for years to pay attention to domains, HTTPS and using password-managers,
this stupid popup chrome opens breaks all of those in the worst way possible.
Most importantly, it also seems to enforce "manual sign-in" on twitches end?
So even the "open the site yourself, login manually, now re-click the apps auth-button and see that you are logged in already" does not seem to work
launchWebAuthFlow is nice if "you want to login into a google account"
(AND you are also logged in with chrome itself into that very same google-Account)
- but for anything else its spooky a.f.
And by the looks they dont intend to change this (2014) https://groups.google.com/a/chromium.org/g/chromium-extensions/c/g82Gfx0m9P8
Thanks