Reputation: 757
Overly strict warning from Chrome Web Store for using a public API
I recently made a Chrome Extension (FrontPage) which uses the New York Times API.
I send an AJAX request to the API and it responds with JSON. However, in order to be able to do so, I need to set permissions in the manifest.json file to be https://api.nytimes.com/* thusly:
...
"permissions": [ "https://api.nytimes.com/*" ],
...
in order to not have the Extension crash and burn and give a Cross Origin rejection.
However, any time a user installs my Extension from the Web Store, they get a scary looking warning along the lines of: "[The extension] Can access all your data on api.nytimes.com".
All I'm doing is sending a request and receiving + parsing a response from a public API. The warning seems excessive. I'm not storing in any way, any user data.
Is there a way around this i.e. is there a way to use an API in a Chrome Extension without displaying to the user this warning? Am I approaching this in a non-canonical way?
Upvotes: 3
Views: 146
Answers (3)
Reputation: 19864
Answers by Xan and Luke are of course correct but haven't mentioned an important alternative that will help you:
You can make it an optional permission and request it later at run time prefaced with an explanation as to why it's needed (better yet first ask for it, and if the user declines then explain them they must accept).
Just remember optional permissions must be asked after a user action, so show a modeless dialog with a button and ask for permission when the button is clicked. i had a similar issue in my extension.
In my case i just needed to create and read a specific google spreadsheet but that means asking for their entire google drive for read/write.
Upvotes: 1
Reputation: 5708
There is no way to do what you are asking. chrome is just informing users what your app can do. They have no way to trust you. What I suggest you do and what I have seen others do is inform potential down-loaders of the warning on your apps description page.
Something like
`Warning: you may get a scary warning message blah blah because my extension blah blah, I don't do anything with your data, I encourage you to look at the source if you are curious."
Most people are used to seeing and accepting these warnings by now anyways. Yours actually make a lot of sense, because users can intuitively see how that page is related to your extension.
Read and modify all your data on all websites you visit
Is a bit more tricky to deal with.
To more directly deal with your original question: Its the stuff you put in the "permissions" array that determines what warnings (if any) get generated.
Here is a list of all of the possible warning messages and the permissions they apply to. The page also contains a listing of the permissions which don't generate any warning messages.
Upvotes: 2
Reputation: 77561
If the API is public, then chances are that it has permissive CORS headers enabled.
Some anecdotal evidence from the developers forum suggests it is the case for NYTimes API, for at least some endpoints (can't test it without an API key). If it's not enabled for the endpoint you are using, you can request that.
In that case, you don't need a permission for cross-origin requests to that API, XHR should succeed anyway.
Upvotes: 2
Related Questions
- Chrome extension "Refused to evaluate a string as JavaScript because 'unsafe-eval'
- Backend error 500 when accessing Chrome Web Store licensing API
- Chrome extension rejected: is it forbidden to fetch any json data from a backend?
- Chrome extension contains errors
- REST API Error: Refused to connect to ... because it violates the following Content Security Policy directive:
- Is the chrome devtools API allowed in the store
- Google Chrome extension Content Security Policy
- Chrome's webstore server reject an extension with "Error : The manifest must define a version."
- Chrome extension : failed to load resource for external json
- Meaning of "Chrome-extension is not allowed by Access-Control-Allow-Origin"?