How to know which permissions my chrome extension needs? - google-chrome-extension

I just wrote a chrome extension which adds a tab to devtools that generates CSS selectors from sample elements on any page. I have set the "<all_urls>" permissions since I'll inject JS using content scripts in whatever page the user wants to select sample elements. I just paid $5 to Google and as I was in the process of publishing the extension to the chrome extensions store, Google warned me it may take several weeks for my extension to be approved because permissions are too broad.
According to Google, I may not need to declare any host permission if I declare the activeTab permission. Not sure if that applies to my case, but most importantly, I have no idea whether I may actually need additional permissions since no warnings will be shown when my extension is unpacked (I understand that to mean no warnings will be shown and the extension will be allowed to run any code regardless of any missing permissions), which is how I'm testing it.
Google then suggests packing the installed extension in order to see the warnings, but then I won't see any warning because the extension won't run. So I don't seem to have any way to know whether I actually need the "<all_urls>" permission or whether I need any additional permission other than testing my luck by publishing it and waiting several weeks to see what happens, and repeat this process until I come up with the minimum required permissions, so I wonder if anyone knows a better alternative.

Permission warnings are shown by the browser before an extension is installed. They list the API and host permissions. These warnings don't influence the functionality of the extension.
To view these warnings you can run the following in devtools console opened on any of your extension pages (i.e. not in content scripts):
fetch('/manifest.json').then(_ => _.text()).then(_ => chrome.management.getPermissionWarningsByManifest(_, console.log))
To view the permissions of any installed extension, unpacked or from the store, open chrome://extensions page and click the details button on that extension's card.
The circled part is for API permissions. Site access below lists the host permissions, which are displayed in simplified form when an extension is installed in the web store e.g. <all_urls> would be "Read and change all your data on the websites you visit".
The exact text of each permission warning is also listed in the documentation.
Your extension uses <all_urls> which means broad access and the slow manual review queue. As suggested, you can try to use activeTab permission instead of <all_urls>. In case it won't work, open a new report on https://crbug.com because the old one was abandoned. Also, try using chrome.devtools.inspectedWindow API that provides eval method that is similar to chrome.tabs.executeScript and might work with activeTab. Note, it's not related to JavaScript eval.

Related

Do I need any permissions for my chrome extension?

I am making my first ever chrome extension and I had some questions. My chrome extension is super simple only containing some buttons that go to links. I want to know if I need any permissions for this sort of thing. I am not collecting data or anything like that, I am only giving the user buttons that they can click to go to different URLs.
Picture of my extension
"permissions": ["ANYTHING", "ANYTHING"],
Do I need anything in here?
If not, can I just delete this whole line?
Mostly you will not need this line because you did not access any unauthorized user permissions such as access to the camera, file manager, search history, change the browser's background itself, privacy and follow everything ....
But you are only dealing with a simple HTML page DOM
If you want to know every time do you need permissions or not
Just write your code without asking for permissions, and if it works successfully, you do not need access permission, but if the code does not work, then know that you need permission and review the code that's all
You can also find out what powers you can access in your Google Chrome extension
Declare permissions

How do I get access to all the files in the extension in Chrome Extension Manifest Version 3 (MV3)?

Background
I've been using the crx-hotreload package to auto-reload my chrome extensions during development because it's annoying to have to click the refresh button on the Extensions page every time you make a change; however, this package doesn't work with MV3 because it uses the chrome.runtime.getPackageDirectoryEntry method, which seems to have been removed from chrome.runtime in MV3. I can't find documentation to confirm that it was removed, but it's not there when I try to use it.
Questions
Does anyone know how to get access to all the files in the extension directory in Chrome Extension Manifest Version 3?
Or generally, is there a better way that I can hot-reload my chrome extensions during development that would work for MV3?
This is one of many things based on DOM capabilities of background pages that are removed from ManifestV3 because service workers don't have DOM. For example, getPackageDirectoryEntry is using the old nonstandard FileSystem API in its returned value.
As to why, apparently the switch to service workers simplifies the internal source code in Chromium, even if it doesn't provide any real improvements for extension authors or users.
At this point all you can do is present a convincing use case and ask Chromium developers via https://crbug.com to implement an alternative API.

Forcing disable of Google Account synchronization of extension on a per-extension basis

We have authored a Chrome extension and would like to ensure that our extension does not at any time participate in being sync'd using Google Account synchronization, even if the user has specified in the Advanced sync settings dialog that extensions be sync'd. Is there a way to prevent this sync'ing on a per-extension basis? Is there some setting we could place in the extension manifest file to accomplish this? Or other way to accomplish this?
If that is not possible, can we force the Extensions checkbox to always be unchecked and unalterable by the user, using enterprise-level techniques such as Group Policy Update? This is not optimal, since we only want to stop the sync'ing of our extension, and not prevent sync'ing of all extensions.
We do see that the SyncDisabled policy registry setting is available to us, but that looks like it will disable ALL data synchronization including Apps, Extensions, Settings, History, etc. This is even less desirable to us, since we don't want to affect other synchronization -- we just want to prevent only our extension from being sync'd.
The use case for this involves the following:
A corporate user installs Chrome on his work computer. Our extension is useful in the enterprise environment and is installed on Chrome.
At some point, using the Chrome browser, this user logs into his personal Gmail account. He has set up his Google Account to turn synchronization on.
Now when this user, using his home computer and Chrome browser, logs in to Google, he will find that our extension has also been installed on his Chrome browser at home -- this is not desirable, since our extension has no usefulness in the home environment. Moreover, the user may consider the presence of our extension an unwanted intrusion into his home computing environment.
The only remedy for this user would seem to be that he could go to the Advanced sync settings and uncheck the Extensions checkbox, but then he would lose the benefit of extension sync'ing of other extensions, which he may want.
Well, if you're doing it in a corporate / managed environment, you don't need to publish your extension on Web Store at all (thus preventing the sync) if you can use Group Policy.
Any extension in ExtensionInstallForcelist will be installed even if it (and its update manifest) is hosted outside Web Store. This will prevent the extension itself from syncing (though will probably still allow chrome.storage.sync to function for it, which is a plus).
Other than that, I don't think there's a way to prevent an individual Store-hosted extension from syncing.

No-Content-Script for chrome extension

I may be a bit of paranoid when it comes to installing chrome extension that request access to all my tabs and data. While a extension may be safe for the moment, a simple auto background update can make it a malicious virus and you won't even get notified about updates.
I would like to specifically whitelist all my extension to access the content pear webpages bases. Is there any such tool out there already (natively perhaps) before i start hacking my own extension to control it on my own.
That would leave me to my next question. Extension can be a bit secured running sandboxed environment and have no access to the "real" filesystem (not the virtual sandboxed filesystem) but could i write a NaCl plugin and have have full access and change the manifest file to change the content_scripts settings? if so, could you point me in the right direction?
I'm not sure to understand clearly your question, but let's calrify some things about extensions and how they can be dangerous:
First: If an extension updates and want to have new authorisations, Chrome will warn you and you can choose if you want it to be updated
Second: Chrome sandboxes extensions running on your computer
Third: The only authorisation that may represent a real danger for your computer are the ones requesting authorisation to "Access all data on your computer"
.
.
.
If you are really worried that some extensions may represent a danger for you (and I understand you), you can restrict them to run on specific webpages by doing the following:
1. Go to the extensions folders [C:\Users(YOUR USERNAME)\AppData\Local\Google\Chrome\User Data\Default\Extensions(APPID)] and open the manifest.json file with any text editor
2. In "content_scripts" declaration, in "matches", specify sites where the extension will ONLY work on [ex:*://google.com/* will make extension be active ONLY for google.com]
You can even be more precise and set specific URLs/HTML pages (see more: https://developer.chrome.com/extensions/match_patterns)
Hope it helps!
If it doesn't, please clarify your question again.

Get a friendly name for browser/computer

Is it possible to retrieve the computer name when developing a Chrome Extension, for example "Jenny-PC"?
At first glance I did not find the API, but maybe I missed something.
If you are quite the daredevil, you could try to extract that info from a NPAPI plugin. This is quite dangerous, as you can read more about on the chrome extension site
No directly, for security reasons extensions can't access OS services.
But, hacker way, you may find some odd way to get what you're looking for.
If your extension has file:// permission, it can read system configuration files.
If you can get the user drop some file containing the name you want on some receiver in your extension's page, you can read it with HTML5 FileReader object.
If you can get the user download and execute some script you wrote (for example a .bat in Windows), it can grab that name and send to the extensions in various ways:
- writing it in a file the extension can read
- executing something like
"c:\chrome install folder\chrome.exe" chrome://extensions/yourextensionkey/receiver.html?name=thenameyourellokingfor
About file:// permission
Chrome Web Store doesn't allow uploading nor publishing extensions with such permission. But the extension works if you install it as a developer, or as .crx .
I'm not sure, but I think you can upload it to Chrome web store modifying it, in order to ask for permission.

Resources