I thought I can't use chrome.tabs.executeScript() on, say, google.com, if I don't have "*://*.google.com/" among permissions in manifest.json. But turns out I can. Probably, due to activeTab permission?
I've deleted the extension, loaded unpacked again to make sure it's not some kind of cache and it still works. So, what exactly does this scary "host permission" do? In which case would I need it?
Related
I just wrote a chrome extension which adds a tab to devtools that generates CSS selectors from sample elements on any page. I have set the "<all_urls>" permissions since I'll inject JS using content scripts in whatever page the user wants to select sample elements. I just paid $5 to Google and as I was in the process of publishing the extension to the chrome extensions store, Google warned me it may take several weeks for my extension to be approved because permissions are too broad.
According to Google, I may not need to declare any host permission if I declare the activeTab permission. Not sure if that applies to my case, but most importantly, I have no idea whether I may actually need additional permissions since no warnings will be shown when my extension is unpacked (I understand that to mean no warnings will be shown and the extension will be allowed to run any code regardless of any missing permissions), which is how I'm testing it.
Google then suggests packing the installed extension in order to see the warnings, but then I won't see any warning because the extension won't run. So I don't seem to have any way to know whether I actually need the "<all_urls>" permission or whether I need any additional permission other than testing my luck by publishing it and waiting several weeks to see what happens, and repeat this process until I come up with the minimum required permissions, so I wonder if anyone knows a better alternative.
Permission warnings are shown by the browser before an extension is installed. They list the API and host permissions. These warnings don't influence the functionality of the extension.
To view these warnings you can run the following in devtools console opened on any of your extension pages (i.e. not in content scripts):
fetch('/manifest.json').then(_ => _.text()).then(_ => chrome.management.getPermissionWarningsByManifest(_, console.log))
To view the permissions of any installed extension, unpacked or from the store, open chrome://extensions page and click the details button on that extension's card.
The circled part is for API permissions. Site access below lists the host permissions, which are displayed in simplified form when an extension is installed in the web store e.g. <all_urls> would be "Read and change all your data on the websites you visit".
The exact text of each permission warning is also listed in the documentation.
Your extension uses <all_urls> which means broad access and the slow manual review queue. As suggested, you can try to use activeTab permission instead of <all_urls>. In case it won't work, open a new report on https://crbug.com because the old one was abandoned. Also, try using chrome.devtools.inspectedWindow API that provides eval method that is similar to chrome.tabs.executeScript and might work with activeTab. Note, it's not related to JavaScript eval.
There's an obvious temptation to request the maximum permissions from users who install my Chrome Extension simply because it makes development easier knowing that whatever Chrome API I use is covered.
But is there an easy way to know I'm only requesting the minimum permissions I need?
AFAIK there is no automated way to figure this out, but if you want to do it manually, use the following procedure:
Deny everything.
Then, selectively request only what is needed to make a specific feature work.
Work through your extension, feature by feature.
In the end you will have only requested what is actually needed, and not more.
I have an chrome extension that might be disabled by the user. I want to create a link to the chrome://extensions menu in that case. It would be something like
Chrome extensions
which is not allowed: Not allowed to load local resource: chrome://extensions/
Most of the solutions I have read imply the use of an extension (which for this use case will be disabled):
chrome.tabs.create({'url': 'chrome://extensions'});
Is there any way to solve this issue?
Of course, I might be wrong... In that case, what could I do?
Thanks in advance
No. There exist privileged URLs and they cannot be opened from web pages or the command line.
Is there a way to install a crossrider extension on a user's computer without letting him/her know it? My website requires this when a user click on a "set as homepage" link.
Thanks for any help.
Changing the user's home page is generaly concidered as a very annoying thing to do. You can look at this previous discution.
Installing an extension without warning the user is not possible in a normal way because of obvious security reasons. When you know what kind of things you can do with google extension, it's better like this. It should be a huge problem if an extension can install himself without warn and send your password or personnal information like your bank credentials...
I may be a bit of paranoid when it comes to installing chrome extension that request access to all my tabs and data. While a extension may be safe for the moment, a simple auto background update can make it a malicious virus and you won't even get notified about updates.
I would like to specifically whitelist all my extension to access the content pear webpages bases. Is there any such tool out there already (natively perhaps) before i start hacking my own extension to control it on my own.
That would leave me to my next question. Extension can be a bit secured running sandboxed environment and have no access to the "real" filesystem (not the virtual sandboxed filesystem) but could i write a NaCl plugin and have have full access and change the manifest file to change the content_scripts settings? if so, could you point me in the right direction?
I'm not sure to understand clearly your question, but let's calrify some things about extensions and how they can be dangerous:
First: If an extension updates and want to have new authorisations, Chrome will warn you and you can choose if you want it to be updated
Second: Chrome sandboxes extensions running on your computer
Third: The only authorisation that may represent a real danger for your computer are the ones requesting authorisation to "Access all data on your computer"
.
.
.
If you are really worried that some extensions may represent a danger for you (and I understand you), you can restrict them to run on specific webpages by doing the following:
1. Go to the extensions folders [C:\Users(YOUR USERNAME)\AppData\Local\Google\Chrome\User Data\Default\Extensions(APPID)] and open the manifest.json file with any text editor
2. In "content_scripts" declaration, in "matches", specify sites where the extension will ONLY work on [ex:*://google.com/* will make extension be active ONLY for google.com]
You can even be more precise and set specific URLs/HTML pages (see more: https://developer.chrome.com/extensions/match_patterns)
Hope it helps!
If it doesn't, please clarify your question again.