CODEWITHSUNDEEP
google-chrome-extension
Nucktrooper
Nucktrooper

Reputation: 245

Are these permissions mandatory in my Chrome extension?

I'm working on a chrome extension which must get in touch with some apis. The first version had this permission in the manifest :

"permissions": [ "API_1" ],

And I could contact this API:

var xhr = new XMLHttpRequest();
xhr.open('GET', "API_1" + someArguments, true);
xhr.onreadystatechange = function()
{
    // ...
}

This version is already published, but now I need my extension to contact another API, so I'm using the same code with the new API:

var xhr = new XMLHttpRequest();
xhr.open('GET', "API_2" + someArguments, true);
xhr.onreadystatechange = function()
{
    // ...
}

In this new version I don't have any warning or error whatever there is no permission for "API_2". If I add permission for API_2, installed extensions will be disabled on update. So my question is : Are permissions for API_1 and API_2 really mandatory?

Upvotes: 1

Views: 116

Answers (2)

Xan
Xan

Reputation: 77523

If that's all you're using the API host permission for, it depends on exactly one thing: CORS policy of the remote server.

When making XHR requests, if the request is cross-domain (which, from an extension, always except for content scripts on that same domain) - Chrome will examine CORS headers in server's reply.

By default, if the server does not indicate anything, cross-domain requests are not allowed by the web security model. This is typical if you're requesting something that was never intended to be a public API. Listing the API match pattern in permissions overrides this.

However, for public API it is typical to include a permissive CORS header (after all, other web applications that may use this API cannot override the security model, only extensions can). In that case, the permission is not necessary.

Upvotes: 2

Noam Hacker
Noam Hacker

Reputation: 4825

Its hard to know without listing the API's, but google's documentation provides a simple way to check how new permissions will affect warnings:

If you'd like to see exactly which warnings your users will get, package your extension into a .crx file, and install it.

To see the warnings users will get when your extension is autoupdated, you can go to a little more trouble and set up an autoupdate server. To do this, first create an update manifest and point to it from your extension, using the "update_url" key (see Autoupdating). Next, package the extension into a new .crx file, and install the app from this .crx file. Now, change the extension's manifest to contain the new permissions, and repackage the extension. Finally, update the extension (and all other extensions that have outstanding updates) by clicking the chrome://extensions page's Update extensions now button.

Basically, create two test extensions, one being your original and another being your updated. Follow this process to go through a simulated update, and you will see what warnings you get, if any.

If you leave out API_2 permissions in the update and everything is fine, then its permissions are not mandatory to include in the manifest.

Source

Upvotes: 1

Related Questions