Aha! Develop trials are currently invitation-only. If your team is interested, apply for early access now.

Aha! Develop | Extensions security model

Extensions are very powerful and should be reviewed carefully before installing. Extensions that have been marked as trusted have been created by Aha! Develop and are enabled automatically when installed.

No other extensions have been vetted by Aha! Develop. You are responsible for vetting them by reviewing the source code before adding them to your account.

Click any of the following links to skip ahead:

Browser extensions

Browser extensions are JavaScript code running in the same browser context as the rest of the page. They are not sandboxed or separated within <iframe>s. This gives extensions powerful capabilities to interact with the user experience of the page but comes with risks too.

Browser extensions can use your credentials to access Aha! Develop. They can perform any action that you can. If you have logged into another service through Aha! Develop, extensions can also perform any action on that service using the credentials you have saved in Aha! Develop.

Aha! Develop has a restrictive Content Security Policy that will block many external resources, but extensions can allowlist CSP sources necessary for those extensions to function. Before installing an extension, you should review the cspSources key in the extensions package.json to ensure the allowlist is as restrictive as possible and that there are no unexpected domains listed.

You can disable extensions at any time. This will prevent them from running in your browser.

Top

Server extensions

Server extensions run using the credentials of the user who installed the extension. They can perform any action in Aha! Develop that that user can. Like browser extensions, if credentials for another service are saved in Aha! Develop, the extension can perform any action on that service allowed by those credentials.

Server extensions run using a serverless architecture. Each execution is isolated from other extensions and other executions. To prevent abuse, they are limited to a maximum of 10 seconds of runtime per call and have maximum CPU and memory limits.

Top

Extension permissions

Users can control which extensions run in their browser via extension permissions. Each user has an Enabled setting for every extension, which that user may toggle at any time by navigating to Settings ⚙️ → Extensions and then selecting the relevant extension. If an extension is not enabled for a user, the extension cannot load any JavaScript in that user's browser session. Changing the extension permission settings for another user is not supported.

Extensions are disabled for users by default, with two exceptions:

  1. The extension installation process automatically enables the extension for the user who installs it.

  2. When a trusted extension is installed it will be enabled for everyone in the account. Users may still choose to manually disable a trusted or self-installed extension through Settings ⚙️ → Personal → Extensions.

A trusted extension is one developed and maintained by Aha! Develop and is installed via an Aha! Develop hosted URL. Trusted extensions are indicated with a badge icon in Settings ⚙️ → Personal → Extensions.

Administrators may configure an extension to prompt users for permission via Settings ⚙️ → Account → Extensions. Permission prompting means that if a user has never chosen whether to enable or disable the extension, they will be prompted to choose whether to enable it when they navigate to Aha! Develop. Once a user has saved their selection as enabled or disabled, they will not be prompted again for that extension.

An extension installed via the CLI will not prompt users for permission by default. This is useful for developing extensions without affecting other users in the account. In contrast, an extension installed via URL will prompt users for permission by default. This is because we assume that it is intended for account-wide usage. If a user is not prompted for an untrusted extension, it will remain disabled by default.

Top


Related articles

Aha! Roadmaps
Aha! Ideas
Videos
Announcements
© 2021 Aha! Labs Inc.All rights reserved