> *No. Theming addons should not even be able to ask for those privileges.* That... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		samatman on May 22, 2023 \| parent \| context \| favorite \| on: Malicious VSCode extensions with more than 45k ins... > No. Theming addons should not even be able to ask for those privileges. That's not the principle of least privilege, that's a user rule, and it isn't necessarily a good one. I can imagine, for example, a theming add-on which queries a weather API and picks colors based on that, perhaps displaying a nice weather bar in the status line. Such a theme would need to be granted this privilege, which should ideally be restricted to a hosts list, such that the user could pick another weather endpoint, but the theme can't promise weather and give weather and Google Analytics or your choice of telemetry endpoint.

robertlagrant on May 22, 2023 [–]

Agree, although what would be really useful is if the capability listed exactly what data will be queried from VSCode and sent to the remote endpoint.

gcr on May 22, 2023 | [–]

Something like a declared list of DNS domains the extension wants to access?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact