Reputation: 15715
How to know which permissions my chrome extension needs?
I just wrote a chrome extension which adds a tab to devtools that generates CSS selectors from sample elements on any page. I have set the "<all_urls>" permissions since I'll inject JS using content scripts in whatever page the user wants to select sample elements. I just paid $5 to Google and as I was in the process of publishing the extension to the chrome extensions store, Google warned me it may take several weeks for my extension to be approved because permissions are too broad.
According to Google, I may not need to declare any host permission if I declare the activeTab permission. Not sure if that applies to my case, but most importantly, I have no idea whether I may actually need additional permissions since no warnings will be shown when my extension is unpacked (I understand that to mean no warnings will be shown and the extension will be allowed to run any code regardless of any missing permissions), which is how I'm testing it.
Google then suggests packing the installed extension in order to see the warnings, but then I won't see any warning because the extension won't run. So I don't seem to have any way to know whether I actually need the "<all_urls>" permission or whether I need any additional permission other than testing my luck by publishing it and waiting several weeks to see what happens, and repeat this process until I come up with the minimum required permissions, so I wonder if anyone knows a better alternative.
Upvotes: 4
Views: 7396
Answers (1)
Reputation: 73546
Permission warnings are shown by the browser before an extension is installed. They list the API and host permissions. These warnings don't influence the functionality of the extension.
To view these warnings you can run the following in devtools console opened on any of your extension pages (i.e. not in content scripts):
fetch('/manifest.json').then(_ => _.text()).then(_ => chrome.management.getPermissionWarningsByManifest(_, console.log))
To view the permissions of any installed extension, unpacked or from the store, open chrome://extensions page and click the details button on that extension's card.
The circled part is for API permissions. Site access below lists the host permissions, which are displayed in simplified form when an extension is installed in the web store e.g. <all_urls> would be "Read and change all your data on the websites you visit".
The exact text of each permission warning is also listed in the documentation.
Your extension uses <all_urls> which means broad access and the slow manual review queue. As suggested, you can try to use activeTab permission instead of <all_urls>. In case it won't work, open a new report on https://crbug.com because the old one was abandoned. Also, try using chrome.devtools.inspectedWindow API that provides eval method that is similar to chrome.tabs.executeScript and might work with activeTab. Note, it's not related to JavaScript eval.
Upvotes: 6
Related Questions
- Chrome extension manifest permissions v3
- Permission Justification in Chrome Extension
- Chrome Extension - asking for new permissions
- Chrome Extension: How do I make sure I'm only requesting the minimum permissions I need?
- How to test optional permissions in a Chrome extension?
- Are these permissions mandatory in my Chrome extension?
- chrome extension permissions not working
- management permissions for chrome extension in content script
- Chrome Extension Permissions
- Chrome Extension permissions field in the manifest.json