Chrome extension development: permissions, activeTab, I'm confused - google-chrome-extension

I have developed a simple chrome extension which generates QR codes through a form which triggers an API. Through JavaScript the qr code is displayed to the user, and through a button is possibile to download the qr code image.
Since this is a simple extension which is not going to "listen" to or interacting with any users' activities, and since it's not going to change the content of the pages the user visits, what kind of browser_action and permissions I have to set into the manifest.json file?
I'm a bit confused by permissions, activeTab, <all_urls>.
I've read some documentation, but I didn't find any match to what my extension will perform: it feels like I don't have to set any permissions, is that possible? Please help!
Thank you in advance for your answers!

Related

Do I need any permissions for my chrome extension?

I am making my first ever chrome extension and I had some questions. My chrome extension is super simple only containing some buttons that go to links. I want to know if I need any permissions for this sort of thing. I am not collecting data or anything like that, I am only giving the user buttons that they can click to go to different URLs.
Picture of my extension
"permissions": ["ANYTHING", "ANYTHING"],
Do I need anything in here?
If not, can I just delete this whole line?
Mostly you will not need this line because you did not access any unauthorized user permissions such as access to the camera, file manager, search history, change the browser's background itself, privacy and follow everything ....
But you are only dealing with a simple HTML page DOM
If you want to know every time do you need permissions or not
Just write your code without asking for permissions, and if it works successfully, you do not need access permission, but if the code does not work, then know that you need permission and review the code that's all
You can also find out what powers you can access in your Google Chrome extension
Declare permissions

Adding Support Page to Web Store Extension Page

I'm trying to add a support page right in the extension window but all that I can find is adding a link to another page. I've included some pictures, as I don't know how to really describe the feature.
that's what I have currently, and below is what I want to have-
This is a screenshot of what I have on the dev page, concerning the support feature-
I'm not sure what I need to change, so any help would be appreciated! (Directed here from this chrome forum thread)
Go to https://chrome.google.com/webstore/developer/dashboard
Click "Edit your User Feedback preferences"
Check the "Enable User Feedback for all my apps in Chrome Webstore." box.
Note that neither you nor your users will get notified of new posts made in the webstore support section, so you probably want to direct users to a third party support platform, such as issues on the project's Github repo.

How to I give my google chrome extension permission to work on all sites?

I'm trying to make a google chrome extension that I want to work on all sites, but I can't figure out how to configure the permissions to do this.
Well, there's a helpful page in the docs called "Match Patterns".
You need "<all_urls>" (literally as written) to request access to every site. It is actually required for some APIs like tab capture.

chrome extension login security with iframe

I should note, I'm not a chrome extension expert. However, I'm looking for some advice or high-level solution to a security concern I have with my chrome extension. I've searched quite a bit but can't seem to find a concrete answer.
The situation
I have a chrome extension that needs to have the user login to our backend server.
However, it was decided for design reasons that the default chrome popup balloon was undesirable. Thus I've used a modal dialog and jquery to make a styled popup that is injected with content scripts.
Hence, the popup is injected into the DOM o the page you are visiting.
The Problem
Everything works, however now that I need to implement login functionality I've noticed a vulnerability:
If the site we've injected our popup into knows the password fields ID they could run a script to continuously monitor the password and username field and store that data. Call me paranoid, but I see it as a risk. In fact, I wrote a mockup attack site that can correctly pull the user and password when entered into the given fields.
My devised solution
I took a look at some other chrome extensions, like Buffer, and noticed what they do is load their popup from their website and, instead, embed an iFrame which contains the popup in it. The popup would interact with the server inside the iframe.
My understanding is iframes are subject to same-origin scripting policies as other websites, but I may be mistaken.
As such, would do the same thing be secure?
TLDR
To simplify, if I embedded a https login form from our server into a given DOM, via a chrome extension, are there security concerns to password sniffing?
If this is not the best way to deal with chrome extension logins, do you have suggestions on what is? Perhaps there is a way to declare text fields that javascript can simply not interact with? Not too sure!
Thank you so much for your time! I will happily clarify anything required.
The Same origin policy does indeed protect the contents of the iframe from the main page.
However. There's no way for the user to know whether the iframe in the page belongs to your extension or not. A rogue page could copy your design and impersonate your extension, and ultimately steal the credentials.
The only secure way to get the user to input credentials is through a separate window, popup or tab.
Chrome offers an API to open a window with desired properties, which should be sufficiently flexible to meet your design requirements. See this example, which is also about getting a credentials in a popup window: https://stackoverflow.com/a/10341102/938089

Programmatic way to search a page for the user in a browser

I am working on a search engine project that will point a user to a page from, say Google, and show them where their search terms are in the document. Most of us search Google and know that sometimes you have to CTRL-F to find where that word appeared on the page (especially on long pages). I know some browser plug-ins can help with this - but is there a way to wrap the page in a frame and do it (even if you don't control the site being displayed)?
If not, what browser plug-ins might you recommend that I could customize & brand so the user can accomplish this task? I'm guessing you could also write a Kinitex plug-in or GreaseMonkey script - but I'd prefer to not go any route that a newbie user wouldn't immediately understand.
Thanks in advance for your help!
You can get source code of the page with curl, add javascript function to it and then pass result to the user. Just like server-side GreaseMonkey. :)
In google Chrome try Google Quick Scroll, it does it.

Resources