Reputation:
Chrome Extension - Are content script matches limited to permissions?
I'm making a chrome extension, and was looking at my manifest.json file and realized something:
I have permissions for sites like this:
"permissions": [
"*://*.google.com/*",
"*://*.twitter.com/*",
]
If I use <all_urls> for my content script, will it be limited to only Google and Twitter domains? Or will it also inject the script into other websites despite not having permission?
Upvotes: 4
Views: 922
Answers (1)
Reputation: 4825
As stated here,
If your content script's code should always be injected, register it in the extension manifest using the content_scripts field. If you want to inject the code only sometimes, use the permissions field instead.
I believe all_urls will override the permissions. After testing this on one of my extensions which uses all_urls, it did in fact work on non-google/twitter domains. I then clicked on the permissions link on my extension in chrome://extensions and it told me that the extension can "read and change all your data on the websites you visit"
Upvotes: 6
Related Questions
- Content script not being allowed to access extension resources
- Optional permissions for "content scripts" in Chrome Extension?
- Does content_scripts matches "chrome-extension://*/*" work?
- Chrome extension: load different content scripts
- Chrome extension content scripts - Is the source available for users to see?
- Chrome Extension: Difference between "permissions" and "matches" (match patterns)
- Can Chrome extension content script access all tabs?
- management permissions for chrome extension in content script
- Chrome Extension Permissions
- Is it allowed for a Chrome Extension to read page script content via Content Script