0

I'm reading about message passing between extension and webpage, and I have a question about permissions.

My use case is: I need to communicate with all webpages, but only the active one. On the webpage, when the user clicks on a button "[Connect with my Extension]", it sends a message to the extension. What I'm doing now, is I'm injecting a content_script inside all the webpages:

// manifest.json snippet

  "permissions": ["storage"],
  "content_scripts": [{
    "js": ["content.js"],
    "matches": ["http://*/*", "https://*/*"],
    "run_at": "document_start"
  }],

and content.js does chrome.runtime.sendMessage/chrome.runtime.onMessage with the background. It works, but when I publish my extension, Chrome says:

Because of the following issue, your extension may require an in-depth review:

  • Broad host permissions

Instead of requesting broad host permissions, consider using the activeTab permission, or specify the sites that your extension needs access to. Both options are more secure than allowing full access to an indeterminate number of sites, and they may help minimize review times.

The activeTab permission allows access to a tab in response to an explicit user gesture.

{   ...   "permissions": ["activeTab"] }

My question is: is there a way to achieve what I want by using activeTab only, as Chrome suggests?

My initial understanding is that NO. activeTab is only activated on some specific user interactions, whereas I would need to activate it on button click inside the webpage. So my only hope is to battle with Chrome's "in-depth reviews". Is that right?

Thanks.

jeanpaul62
  • 9,451
  • 13
  • 54
  • 94
  • Your assessment is correct. There's no way `activeTab` can help in your scenario. However it's unclear why you need that button in the page if you can provide the same when the user clicks the extension icon in the toolbar. – wOxxOm Feb 20 '20 at 11:44
  • In my case, it's a "Login" button, I would much rather have this login button inside the webpage, UX-wise. – jeanpaul62 Feb 20 '20 at 11:49
  • I find it surprising, actually. Unlike userscripts, extensions have a dedicated place to control and invoke their UI, so they don't need to cramp themselves into the volatile page UI. Also, extensions can be assigned a hotkey on chrome://extensions page (see [commands](https://developer.chrome.com/extensions/commands) API). – wOxxOm Feb 20 '20 at 11:51
  • `Also, extensions can be assigned a hotkey on chrome://extensions page.` Can you elaborate on this? Is it related to https://developer.chrome.com/extensions/commands? – jeanpaul62 Feb 20 '20 at 11:53
  • Would it be possible to add a hotkey shortcut to my extension, and programmatically "press" those keys from the webpage (e.g. using https://stackoverflow.com/questions/596481/is-it-possible-to-simulate-key-press-events-programmatically)? – jeanpaul62 Feb 20 '20 at 11:57
  • 1) Eh? That's exactly what my comment says, see the documentation for more info. 2) No. – wOxxOm Feb 20 '20 at 11:59
  • 1) I posted my comment before you edited yours and added the last parenthesis. 2) Could you elaborate why? – jeanpaul62 Feb 20 '20 at 13:19
  • Those hotkeys are processed in the UI layer, not in tab contents layer. – wOxxOm Feb 20 '20 at 13:23
  • 1
    [Trigger shortcut in a Chrome extension](//stackoverflow.com/a/37993879) – wOxxOm Feb 20 '20 at 13:24

0 Answers0