What permissions does the browser extension request?

All browser extensions must request certain permissions to access browser functionality. This page describes the permissions that the Trelica extension requests, and why it requests them. 

You can review the Trelica extension in full on the CRXcavator site:

https://crxcavator.io/report/igjpcenkahclnlkcldhphacgmfilbefd

If you are a customer, or potential customer, and require access to the unminimized source code then please contact support@trelica.com.


Chrome permission warnings

Chrome flags certain permissions when you install the extension.

Read and change all your data on all websites - scripting
The scripting permission is used to:
  • detect click actions in the browser on login buttons, in order to report actual login access, rather than just browsing activity (and thereby avoid false-positives);
  • examine the email address entered during a login process in order to verify if a company email address is being used, and therefore data should be tracked;
  • detect if MFA codes are being used.
Display notifications - notifications
The notifications permission is used to show a message to users if they are not logged in to the extension. Without this a user might not be aware if they are not logged in correctly and the extension had stopped reporting.
Know your email address - identity.email
Deployment at scale to all employees by the IT team is difficult if each user has to login to Trelica. This permissions lets the extension read the email address of the user who is logged in to Chrome or Edge. Trelica then issues an access token with minimal rights to allow the extension to submit data using the user's identity.
Manage your apps, extensions, and themes - management
Trelica has the ability to report back other extensions installed on the user's browser which requires the 'management' permission in order to get the names of the installed extensions.
Communicate with cooperating native applications - nativeMessaging
If a user isn't logged in to their browser (e.g. Chrome where Microsoft Entra ID is the primary IdP, Edge where Google Workspace is used, or on Firefox) we provide a small executable (the browser helper) which returns the current logged in macOS or Windows user to the browser extension. This avoids users having to login to the Trelica extension directly themselves. The communication between the two is managed using the Native Messaging protocol which requires this permission.

Other permissions

The extension requests other permissions which are not flagged by Chrome.

alarms
The extension submits data to the Trelica servers on a periodic basis. To do this, the extension registers itself with the browser alarms API so that it can perform actions on a schedule.
cookies
Cookie access is required as part of the login process to detect when a user logs in to app.trelica.com or eu.trelica.com in a browser tab. Cookie access is scoped by the browser to the 'Host permissions' which is set to https://*.trelica.com/*, so the extension only has access to cookies on trelica.com domains.
identity
The extension originally had support for using OAuth to login, which requires this permission to get a redirect URL as part of the OAuth protocol. This has been deprecated in the extension and the permission is being dropped from v1.3.76 onwards.
storage
The extension needs to store information about URL matching rules, general settings, and user activity before it is processed and sent to the Trelica servers. The benefit of this is that information can be processed as much as possible on the user's machine, minimizing information sent to Trelica.
tabs
This is needed to access the URLs the user is browsing to as part of the application detection process, and also to access the 'favicon' URL, so we can display an appropriate icon in the UI.
Host permissions
Permissions for https://*.trelica.com/* are required so that we can return data to the Trelica servers (otherwise there would be an error due to a cross-origin request). This also restricts cookie access to the trelica.com domain. 

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.