4

I just wrote a chrome extension which adds a tab to devtools that generates CSS selectors from sample elements on any page. I have set the "<all_urls>" permissions since I'll inject JS using content scripts in whatever page the user wants to select sample elements. I just paid $5 to Google and as I was in the process of publishing the extension to the chrome extensions store, Google warned me it may take several weeks for my extension to be approved because permissions are too broad.

According to Google, I may not need to declare any host permission if I declare the activeTab permission. Not sure if that applies to my case, but most importantly, I have no idea whether I may actually need additional permissions since no warnings will be shown when my extension is unpacked (I understand that to mean no warnings will be shown and the extension will be allowed to run any code regardless of any missing permissions), which is how I'm testing it.

Google then suggests packing the installed extension in order to see the warnings, but then I won't see any warning because the extension won't run. So I don't seem to have any way to know whether I actually need the "<all_urls>" permission or whether I need any additional permission other than testing my luck by publishing it and waiting several weeks to see what happens, and repeat this process until I come up with the minimum required permissions, so I wonder if anyone knows a better alternative.

Juan
  • 15,274
  • 23
  • 105
  • 187

1 Answers1

4

Permission warnings are shown by the browser before an extension is installed. They list the API and host permissions. These warnings don't influence the functionality of the extension.

To view these warnings you can run the following in devtools console opened on any of your extension pages (i.e. not in content scripts):

fetch('/manifest.json').then(_ => _.text()).then(_ => chrome.management.getPermissionWarningsByManifest(_, console.log))

To view the permissions of any installed extension, unpacked or from the store, open chrome://extensions page and click the details button on that extension's card.

enter image description here

The circled part is for API permissions. Site access below lists the host permissions, which are displayed in simplified form when an extension is installed in the web store e.g. <all_urls> would be "Read and change all your data on the websites you visit".

The exact text of each permission warning is also listed in the documentation.

Your extension uses <all_urls> which means broad access and the slow manual review queue. As suggested, you can try to use activeTab permission instead of <all_urls>. In case it won't work, open a new report on https://crbug.com because the old one was abandoned. Also, try using chrome.devtools.inspectedWindow API that provides eval method that is similar to chrome.tabs.executeScript and might work with activeTab. Note, it's not related to JavaScript eval.

wOxxOm
  • 65,848
  • 11
  • 132
  • 136
  • 1
    Maybe my post was confusing, but I don't need to know which permissions my extension has declared since I already know this. What I want to know is whether I actually need to declare these permissions, or which other permissions I may need to declare. I was hoping the warnings would tell me this, but I won't see any warnings when the extension is unpacked even if I don't declare any permission at all. – Juan Sep 24 '20 at 18:11
  • Also, since you mentioned trying `activeTab`, how would I go about trying this if unpacked extensions won't show any warning? Would the only way be to publish to the chrome store and, after a few weeks, if approved, install it and see if my extension displays warnings? (BTW, I do use `inspectedWindow.eval` instead of `executeScript`) – Juan Sep 24 '20 at 18:16
  • 1. The warnings are displayed when the extension is installed and they will list API and hosts, so you can infer them from the details page + documentation that lists the text of the warnings as described in my answer 2. I see no problems with trying activeTab as these warnings have no relation to the functionality of the extension. 3. You can also use chrome.management.getPermissionWarningsByManifest, see its description. – wOxxOm Sep 24 '20 at 18:29
  • Sorry I think we're still talking past each other. I don't care about which descriptions correspond to which permissions. I just want to know which permissions I need to include in my manifest. I guess I could just "try" different permissions until they "work", except this implies publishing to the chrome store for each try. Or do you mean something else by "trying" permissions? Maybe I'm just missing something obvious here. – Juan Sep 24 '20 at 18:38
  • Yeah I don't understand anymore what you want. If you want to use a chrome.* API then you add a permission for that API and then you can use it. Whether you need it or not, depends on whether that API does what you want. It's simple as that. – wOxxOm Sep 24 '20 at 18:40
  • I've edited the answer to address some of the vague points, hopefully. – wOxxOm Sep 24 '20 at 18:44
  • Wait so permissions are just warnings??? They don't influence whether my code runs or not?? What's their point then? Can I just not declare any permissions??? – Juan Sep 24 '20 at 18:46
  • Indeed, you don't have to declare any permissions if you don't need to access any restricted API or any hosts. Permissions grant access to API or sites. You can't use an API without adding it to permissions (except a few like i18n or runtime). You can't access a host without listing it or using `activeTab`. As for warnings, those are created based on the permissions and displayed before installation. The warnings don't influence functionality. Warnings are not permissions. – wOxxOm Sep 24 '20 at 18:48
  • OK I know why this was so confusing! I thought the warning the Google page was talking about were warnings shown when an extension attempted to use an API that required a permission that wasn't listed in the manifest, but in reality when such API is invoked an error is thrown without any warning and Google was talking about the warning shown during installation. I though this because I noticed my unpacked extension ran fine without any permission at all, but the reason for this is because I don't actually need any permission which seemed too weird to be true.... Sorry for the confusion! – Juan Sep 24 '20 at 19:40