The Gem Chrome extension requests several permissions as part of providing all of the functionality required to help recruiters with their sourcing efforts. There are a few common questions about the permission levels that will sometimes come up in more detailed security reviews. Attached to this article is also a data flow diagram for the Chrome extension.
Does the Gem Chrome extension log my web activity like keystrokes?
The Gem browser extension does not log keystrokes or engage in keystroke logging behavior. Additionally, while Gem’s privacy policy does include permission for us to collect “your online activity”, this refers to the data collected by the Chrome extension as detailed in the attached artifacts. Gem cannot collect online activity outside of sites where the extension has host permissions. This data is collected with data minimization in mind and is used to provide Gem’s services and support to our customers.
How can I control which sites the Gem Chrome extension can access?
The primary tool for controlling the extension’s level of access is the host permissions block + allow list within your browser management admin panel. While the chrome.tabs permission is not governed by host permissions, critically Gem’s ability to access or modify the contents of a webpage are governed by host permissions.
The following is a detailed list of the permissions requested and what they are used for, along with how a customer’s IT team can control which sites the extension has access to.
- unsafe-eval - Gem integrates with a number of third-party sites to make recruiting teams more efficient in their workflows. Part of this involves injecting ‘Add to Gem’ buttons on certain sites to quickly import candidates into Gem. In order to do this, Gem needs to be able to execute JavaScript on the page. The
unsafe-evalpermission is required in order for Gem to run JavaScript in this manner and integrate with third-party sites. - Communication with localhost:3000 - Our customers are in full control of which sites the Gem extension can integrate with. localhost:3000 is actually only used by the Gem engineering team, despite being included in the extension’s permissions list. Customers can override Gem’s permissions list in GSuite so that it is not allowed to access localhost:3000 or any other site deemed sensitive.
- Communication with additional sites - If communication with the additional sites is a concern, you can use the GSuite override to disable Gem’s access to those sites. The consequence of disabling the extension’s access to any of those sites is that the recruiting team will be unable to use the Gem extension to source candidates from those specific sites or show the Gem sidebar alongside profiles on those sites.
- Cookies across other sites - The GSuite override also controls which host Gem can access cookies from. We do use the cookies in order to make certain recruiting workflows more efficient, such as importing candidates into the Applicant Tracking System so that functionality would be directly impacted.
- See which extensions are installed - Some other extensions aren’t compatible with Gem. We use this permission to notify the user if they have one of these incompatible extensions installed.
- Search/Manipulate Downloads - This permission is core to the recruiting workflow of sourcing candidates from LinkedIn. Downloading a PDF of a candidate’s profile is how recruiters easily import candidates into Gem from LinkedIn. The Gem extension parses the downloaded PDF: https://help.gem.com/en/articles/2745517-adding-a-candidate-to-gem-in-linkedin. Importantly, the extension only has access to downloads that originated from a host that it has access to. Because Gem requests permissions for
://*.[linkedin.com](http://linkedin.com/), it can access downloads from LinkedIn. Using the GSuite override, you can create a whitelist of which sites Gem has access to (and thus sites that Gem can access downloads from). - Webrequest - We use this permission to attach listeners to web requests, which allows us to inspect the headers and body of the request. This is required for our Indeed integration, where we listen for outgoing candidate messages to automatically add the person to Gem and for LinkedIn Inmail tracking, where we listen for outgoing Inmail messages and log those to your Gem account.
- declarativenetrequest - We use this permission in conjunction with the Webrequest permission. It allows us to block the request from being sent / received until we are done inspecting/modifying it and to inject extension metadata headers (extension id, extension version, tab id) to requests going to Gem sites to ensure the activity is properly tracked and attributed to your account.
- ActiveTab - This permission gives the extension temporary access to the foreign window when the user invokes the extension (most commonly by clicking the Gem icon). Access to the site is rescinded once the user’s session ends (by closing the tab or navigating to another origin). This allows the extension to work on any arbitrary site after the user invokes it, enabling the basic Gem sourcing functionality to work even on sites where we have not specifically built functionality to support them.
- tabs - The privileged tab information that this provides includes tab url (https://developer.chrome.com/docs/extensions/reference/tabs/#property-Tab-url), which we rely on since the extension behaves differently depending on the site (e.g. on LinkedIn we mount the sidebar differently than on Gmail).
- management - We use this permission to determine if the current Gem extension install was a development install, for which we change the base url to localhost. We also use this permission to get a list of all currently installed chrome extensions, and we send that to our server for debugging purposes to verify that the user does not have any other Chrome extensions installed which we know will cause issues with Gem.