Several people have emailed me asking about the new permissions dialog that Google is presenting to users after updating to the latest (9.3) version of Enhanced Steam. I thought it might be best to go over that in detail here so that I can simply link them back to this article which will explain in as much detail as I can about what happened, why it happened, and how it affects you as a user. My goal with Enhanced Steam is always to be 100% transparent to users about what the extension does, and rest assured knowing that Enhanced Steam is still open source and freely available.
After updating to Enhanced Steam 9.3 in Google Chrome, users were presented with the following dialog box that (admittedly) looks kinda scary:
The “it can now” section in particular seems a bit overwhelming because it implies that Enhanced Steam couldn’t already do most of these things, which prompts users to ask “Why does it suddenly need permission to…?” The truth is, Enhanced Steam has had the same “Read and change your data on all steampowered.com and steamcommunity.com sites” since version 2.3 released in March of 2013. The extension needs this permission or it wouldn’t be able to actually do anything . In order to enhance Steam, Enhanced Steam needs to be able to alter pages on Steam. The new site added that is prompting the permissions change is store.steampowered.com, but if you think about it logically – this is already part of “all steampowered.com sites”, so what gives?
Why it happened
We made a change that fixed an issue where some CSS code was being applied erroneously to store pages that was meant to only execute on the homepage of Steam. I thought (incorrectly, it turns out) that a new pattern match to store.steampowered.com – the Steam home page – would fall under the existing manifest permissions that already grant the extension access to all steampowered.com pages. However, because of this change Google flagged the extension as having “new permissions” and responded accordingly by disclosing that information to users and asking them if they wanted to continue using Enhanced Steam. Typically this is a good thing for Google to do because there are some unscrupulous extension vendors out there who try to pull these changes over on users in order to do nefarious things with the new permissions they give themselves. Because people have to ruin things for the rest of us, Google has to make this window look as imposing as possible and give users and easy way to opt-out of using the extension. Because this looks imposing and because everyone’s heard horror stories about extensions wrecking havoc, this permissions warning might seem more scary than it actually is. Google is erring on the side of caution here, and that’s not really a bad thing.
One complaint I have with Google is that, as a developer, there was no additional information or warning dialog presented to me when I uploaded this version. No “Your extension permissions have changed, are you sure you want to proceed?” message. I wasn’t aware of this change until I updated the extension myself from Google. If I were given a heads-up on this, I could have investigated the issue and corrected it before inconveniencing users or having them think that some foul plot was underway. Google also has no roll back functionality for developers, and even uploading a new version that fixes this mistake would not have prevented users from seeing this dialog. I will open a support ticket with Google to see if this process could be updated so that hopefully this doesn’t happen again by mistake.
How it affects you, the user
Enhanced Steam still has the same permissions it did in version 9.2 (and 2.3) so nothing has really changed for users. Enhanced Steam still has the ability to alter what you see on the Steam website, as that’s more or less what it’s for. If you really feel strongly about not updating the extension, I would invite you to download version 9.2 from Github and continue using that if you were happy with it.
Enhanced Steam made an innocent change that Google over-reacted to. Nothing has really changed, and everything is fine.