Extensions security model

Aha! Develop

Extensions are very powerful and should be reviewed carefully before installing. Extensions that have been marked as trusted have been created by Aha! Develop and are enabled automatically when installed.

No other extensions have been vetted by Aha! Develop. You are responsible for vetting them by reviewing the source code before adding them to your account.

You need to be an administrator with customization permissions to install an extension in your Aha! Develop account. Once installed, every Aha! Develop user can choose to Enable an extension in their personal settings.

Click any of the following links to skip ahead:

Browser extensions

Browser extensions are JavaScript code running in the same browser context as the rest of the page. They are not sandboxed or separated within <iframe>s. This gives extensions powerful capabilities to interact with the user experience of the page but comes with risks too.

Browser extensions can use your credentials to access Aha! Develop. They can perform any action that you can. If you have logged into another service through Aha! Develop, extensions can also perform any action on that service using the credentials you have saved in Aha! Develop.

Aha! Develop has a restrictive Content Security Policy that will block many external resources, but extensions can allowlist CSP sources necessary for those extensions to function. Before installing an extension, you should review the cspSources key in the extensions package.json to ensure the allowlist is as restrictive as possible and that there are no unexpected domains listed.

You can disable extensions at any time. This will prevent them from running in your browser.

Top

Server extensions

Server extensions run using the credentials of the user who installed the extension. They can perform any action in Aha! Develop that that user can. Like browser extensions, if credentials for another service are saved in Aha! Develop, the extension can perform any action on that service allowed by those credentials.

Server extensions run using a serverless architecture. Each execution is isolated from other extensions and other executions. To prevent abuse, they are limited to a maximum of 10 seconds of runtime per call and have maximum CPU and memory limits.

Server-side extensions run in a pure Javascript environment and so must include all of the code that they will execute. Concretely, that means server-side extensions have access to everything listed in Mozilla's JavaScript Reference, but nothing listed in Node's API Reference. The one exception is that we have added the fetch API to this environment to make it easier to communicate with the outside world.

If you need access to node-style APIs, consider looking for polyfills that can provide this missing functionality. You can use these polyfills by adding the appropriate npm package into your package.json and importing it into the code for your server-side extension contribution.

Note: APIs related to process management, file handling, and low-level network protocols are explicitly not available even via polyfills.

Top

Extension permissions

Users can control which extensions run in their browser via extension permissions. Each user has an Enabled setting for every extension, which that user may toggle at any time by navigating to Settings ⚙️ → Personal → Extensions and then selecting the relevant extension. If an extension is not enabled for a user, the extension cannot load any JavaScript in that user's browser session. Changing the extension permission settings for another user is not supported.

Extensions are disabled for users by default, with two exceptions:

  1. The extension installation process automatically enables the extension for the user who installs it.

  2. When a trusted extension is installed it will be enabled for everyone in the account. Users may still choose to manually disable a trusted or self-installed extension through Settings ⚙️ → Personal → Extensions.

A trusted extension is one developed and maintained by Aha! Develop and is installed via an Aha! Develop hosted URL. Trusted extensions are indicated with a badge icon in Settings ⚙️ → Personal → Extensions.

Administrators may configure an extension to prompt users for permission via Settings ⚙️ → Account → Extensions. Permission prompting means that if a user has never chosen whether to enable or disable the extension, they will be prompted to choose whether to enable it when they navigate to Aha! Develop. Once a user has saved their selection as enabled or disabled, they will not be prompted again for that extension.

An extension installed via the CLI will not prompt users for permission by default. This is useful for developing extensions without affecting other users in the account. In contrast, an extension installed via URL will prompt users for permission by default. This is because we assume that it is intended for account-wide usage. If a user is not prompted for an untrusted extension, it will remain disabled by default.

Top