Hi, it was for a long time I felt uncomfortable to host my bookmarks on the Mozilla server. Was glad to see this app but Nextcloud warns me that I will grant access now to floccus.
As security is important to me, can somebody tell me if this application will get access to all my Nextcloud content or solely to the Bookmarks app?
What are exactly the permissions flocuss will have then?
Why is flocuss even necessary, does Mozilla (the browser or the server) not provide a direct interface? The browser is open source so it should be possible for the app to establish a direct connection to the browser’s bookmarks.
Hi @thule
This is a great question!
Nextcloud and Nextcloud apps cannot access your browser. If anything, Firefox could access Nextcloud (as it does when you enter your Nextcloud URL), however Mozilla has no interest to implement sync to Nextcloud, of course, since they already have their own sync service. That is why I created a browser extension that works on most browsers to sync to Nextcloud.
Due to how authentication is implemented in Nextcloud you are giving floccus access to all of your Nextcloud. (The same would be necessary btw if it was possibel to sync firefox with Nextcloud directly, you would have to give firefox access to your full nextcloud.) Let me know if you have more questions
Thank you, surprised that Mozilla shields access to the bookmarks of the users.
Anyhow, what are then the permissions of floccuss after it has access?
From what you said I understood that it will be able to read everything.
Are at least the writing permissions restricted solely to the bookmarks app?
Just one side question here: Can’t you prevent file access at least then using a token? I am unsure if this access was required for floccus but I guess it uses the bookmark REST API only, doesn’t it?
Can’t you prevent file access at least hen using a token?
Ah, yes. You can. In the user Security settings you can select the app token used by floccus and disable file system access, but this is not possible as part of the login auth flow currently.