Request for auto-connection for Recollectr

Hello Snapcraft Team!

We’re wondering about whether we can be approved for auto-connection to allow Recollectr to communicate with Google Chrome via its Native Messaging Hosts feature (and later we’ll request the same for Firefox when we support it.)

The rationale for this is that it allows us to piggy-back off of the browser’s notification system, which integrates seamlessly in the OS notification management panels of some distros.

The plug configuration we would need to enable that functionality looks like this:

'personal-files': {
   read: ['$HOME/.config/google-chrome/NativeMessagingHosts'],
   write: ['$HOME/.config/google-chrome/NativeMessagingHosts'],
 },

We’ve been using this system for notifications for a few years now and it works great. Our built-in notification system is pretty clunky in comparison, so it seemed like it was time to make this request and get the Snap Store version of our app fully up to speed.

The Chrome extension that we’d be communicating with can be found here: https://chrome.google.com/webstore/detail/recollectr-web-extender/hpipmbnaleeogemgfdbabiaaagldgokn?hl=en

Happy to answer any questions, and thanks for reading!

This request is similar to ones we have had in the past - e.g Allow classic confinement for postman-agent and System-files under .mozilla/native-messaging-hosts . As such, access to native messaging allows snaps to escape confinement and so is akin to classic confinement.

Would it make more sense in this case to use system-files as in the second case above since this is perhaps clearer overall what the result is to a user (possible sandbox escape), and would be more in-line with how this has been done historically for other snaps?

Also in either case we would want to perform publisher vetting as is done for Process for reviewing classic confinement snaps due to the security implications of such a request.

1 Like

Thanks for your reply @alexmurray and sorry for the delayed reply! The concern about sandbox escape via the terminal command/batch file the browser will invoke makes sense.

Can you provide any clarity on the distinction between personal-files and system-files in this case? Is the idea only to better inform the user of the possible implications, or is there some additional rationale?

Can you clarify also, if we pursued this and went through the publisher vetting - the app would still be in strict confinement, correct? It’s just the publisher vetting level you’re discussing, not the actual containment level - ie, the user wouldn’t need to specify --classic to install it?

Thanks again!