This morning @loon3 rolled out the latest version of the Tokenly Pockets Multi-Token Wallet to the Chrome store which contains some changes that are both helpful now but will be even more helpful as the Tokenly ecosystem grows over the next year.
Within about an hour of that update going live, I received an email from a user of Pockets who had noticed the new version asks for more permissions than the old one, which is totally true.
Here's the email asking the questions and its answer.
I’ve just rebooted my computer (after having not done so for a couple of weeks) and suddenly am getting this message about Tokenly Pockets:
I am a little concerned about “Read and change all your data on the websites that you visit”!
Can you fill me in on what this means? Is it legit or is this a spurious message I shouldn’t be getting?
And the response
Hi Philip, It is legitimate and necessary
"change your data pages" basically means that the wallet has the ability to look for certain types of scripts and add elements to the page in response to them. In practice this happens in two situations.
One is where you're buying something and the option is to do the whole copy/paste routine to and from your wallet without clicking away from it or to use our token enhanced payment protocol that supplements the information with a "Pay with Pockets" button that when clicked opens up your wallet in a new browser window pre-loaded with the payment information, all you have to do is verify it is correct, select the appropriate pocket that has enough of the requested token and click the pay button.
The other time this happens is when you visit chain.so (which is linked whenever you make a transaction by clicking View Transaction), normally counterparty transactions are not detected on block explorers until they have one confirmation but the wallet itself can interpret the data on the page and show the user exactly what counterparty data will be confirming so no wait is needed.
To do this the wallet must be able to both read the page (to find the data to parse and display or to find the script that indicates the payment information) and edit the page (to add the button or to add the interpreted data)
Because Tokenly Pockets is intended to act as the best way to buy with tokens on any site, we've expanded the permissions which previously just made these changes on LTB and tokenly.com domains
The "Manage Downloads" permission was needed to enable import/export labels, which is a new feature in this version. If you use multiple wallets you can now export your labels as a .json and the next time you load up that wallet, you can import that label file and it will load up (from the default five addresses that load with a wallet) to however many are named.
If you have more than one wallet or you use more than one computer and want to be able to have consistency between your wallet naming schemes without maintaining a spreadsheet dedicated to the topic this is very helpful. We looked at doing it a couple of ways, this way required more permissions but it was the most private solution, so we picked this way.