"Dangerous permissions requests" in chrome extension review process - google-chrome-extension

How much time does the chrome extension review process usually take? There is also a section on if you have "dangerous permission requests", your extension might take longer to review and approve. What permission requests count as "dangerous".
In my extension, I have "storage", "cookies", "tabs", "scripting" and "webRequest" permissions, along with having host permissions to access to one specific site. Do any of these count as "dangerous" permissions. I am working on a tight deadline, so wanted to be sure.

Related

Request ongoing host permissions in a manifest v3 browser extension

I have a manifest v3 browser extension that has a content script, which I want to be automatically injected into certain pages, without the user explicitly interacting with the extension each time they open it. Normally this would require host permissions, which I want to avoid. Is it possible to have an extension that initially starts with no host permissions, then when the user interacts with the extension and accepts the permissions, it permanently gains host permissions to that page? If so, how can I do this?
I am aware of optional_host_permissions in the manifest, so I realise that an extension can request host permissions, but my understanding is that these increased permissions are only temporary. If this is true, then optional_host_permissions won't suit my need. Also, the requesting can only be done after the user interacts with the extension, but I don't want the user to have to manually click the action button each time they want to enable my extension, it should start automatically.

Permission Justification in Chrome Extension

I'm new in Devloper so not familiar about few things.
Can anyone help me adding Permission Justification?
PERMISSION JUSTIFICATION
A permission is either one of a list of known strings, such as "activeTab", or a match pattern giving access to one or more hosts.
tabs _________________________________________ ?
activeTab _________________________________________ ?
Host Permission _________________________________________ ?
A host permission is any match pattern specified in the "permissions" and "content_scripts" fields of the extension manifest.
I'm not sure what exactly to fill on this. Still learing. If anyone can help me with this?
I'd really appreciate it.
I'm using below manifest.json
"permissions": [ "storage", "tabs", "activeTab", ":///", "http:///", "https:///*" ],
"update_url": "https://clients2.google.com/service/update2/crx",
"version": "2",
"web_accessible_resources": [ "options.html", "Privacy-Policy.html" ]
}
you need to clarify why do you need these permissions.
It's a bit mess of how you handling this permissions.
you request tabs: it can access any tab that user open/updated. get the url, content. etc. it's a very sensitive permission. why do you need it?
then you request activeTab, it only works when user clicks the extension icon or context menu item, to get current active tab permissions. it's a low sensitive permission. still, why do you need it?
storage: to store data in chrome extension's storage. normal permission, not sensitive.
then you come with 3 host permission, why do you need permissions to all urls? seems you don't understand Chrome extension permissions, yet why you copy code from other place and upload to chrome web store? Chrome web store review is pretty strict now, you need to understand your extension first, try to request as less permissions as you can.
You definitely need to understand extension permissions, before publishing to the Web Store. Excessive permissions with vague explanation is a big red flag for Web Store reviewers and should be for any user installing the extension.
Still, I want to shed some light on the original question. Google does not expect that you will write a super technical and verbose explanation. It just has to make sense in the context of your extension. I have passed Web Store review process with quite short, but on point explanations.
I wrote an opinion piece on required permissions and providing justifications after losing half of my active users after extension update once.

Can I make requests from an extension without requesting <all_urls> permission?

I am generally wary of extensions that request the <all_urls> permission.
I've had to reluctantly use it in my own extension as I couldn't find any other way to do a simple web-request without being hit by CORS restrictions.
I don't understand why these restrictions apply to extensions?
Presumably there's a good reason.
But I don't need to snoop on requests in transit - this extension is a devtools-extension, and in terms of observing requests, it gets what it needs from chrome.devtools.network API and doesn't need the <all_urls> permission for that.
I had to enable <all_urls> solely so I could make an outgoing request here.
Is there a different way to avoid the CORS restrictions for a simple outgoing web-request?
A less "drastic" permission that doesn't seem as scary to end users?

denying browser notification permissions

According to the spec, you can prompt the browser to allow the user to grant or deny browser notifications. Once the user has granted permission, is there a way to programmatically deny that permission too?
Calling window.Notification.requestPermission() after they have granted permission does nothing except run the success promise.
My goal is to have an On/Off button toggle in the user settings portion of my site. As far as i can tell, there is no way to toggle off once toggled on.
Unfortunately I don't think this is possible at the moment.
In the future we should hopefully be able to use the Permissions API to check and revoke notifications (as well as other APIs like geolocation etc).
However, while we can currently query the status of a permission, the revoke method is unsupported. I believe it was possible in Firefox until recently, but in 51 the functionality was changed to default to off.
As per MDN:
The revoke() function has been disabled by default starting in Firefox
51, since its design has been brought into question in the Web
Applications Security Working Group. It can be re-enabled by setting
the preference dom.permissions.revoke.enable to true.
Example of permissions API:
navigator.permissions.query({name:'notifications'}).then(function(result) {
console.log(result);
});
Result is prompt/denied/granted. Change 'query' to 'revoke' for denying permissions.
navigator.permissions.revoke({name:'notifications'});
Alternatively, this answer from a couple of years ago suggests an alternate approach which you might find interesting - using localStorage to approximate this functionality.

Security concerns when changing permissions in Chrome Extentions

I'm working on an extension that's basically sending out an XHR request and parsing/displaying incoming XML. Ideally I'd like to let users enter the URL they want to send the request to, but to do this I believe I need to change the URL specified in the manifest.json every time the user enters a new URL. Are there any security concerns I should be aware of if implemented? If not I figure just setting the permission to *://*/* might be easier.
If you are letting the user select a URL, you have 2 approaches.
Just allow "<all_urls>" in the manifest (slightly stronger than "*://*/*"). Unless you're doing something specifically bad (like eval or exposing your internals using web_accessible_resources), the only security risk is yourself.
A fancy approach would be to use optional permissions. You put "<all_urls>" in optional permissions then request permissions for new hosts at runtime.
Pros: No scary dialog on install; give the power users comfort in knowing they provided only granular access.
Cons: A permission dialog will appear every time you need new permissions.

Resources