I have restrictions for including 'tabs' permission in manifest, exist any way to go to some url without using chrome.tabs in chrome extensions?
"tabs" permission used to be needed for all operations, but it's not needed anymore for a long time (since Chrome 7!).
The only thing that this permission grants is reading information about existing tabs.
Quoting the documentation itself (emphasis mine):
The majority of the chrome.tabs API can be used without declaring any
permission. However, the "tabs" permission is required in order to
populate the url, title, and favIconUrl properties of Tab.
So you can easily manipulate tabs (e.g. create or update them) without ever needing any permission.
Also, "activeTab" permission is worth a look.
Related
To implement a new feature in a FF & Chrome web extension and let the user download some data gathered and stored into local storage, I am using chrome.downloads.download(). It requires the "downloads" permission, which has a label stating that it gives access to the download history. As I'm willing not to frighten users with suspicious permissions, I wonder if there is another way of providing this data without requesting "downloads" permission.
My current code looks like:
chrome.downloads.download({
filename: "myfile.json",
saveAs: true,
url: URL.createObjectURL(blob)
});```
After searching for a while, I think the best approach is to use the optional permissions feature. It allows me to request this downloads permission at runtime, then the user is aware of the context in which it is needed.
See
https://extensionworkshop.com/documentation/develop/request-the-right-permissions/#request-permissions-at-runtime
For a Google Chrome extension, I would like to have optional permissions for a "content script" so that the content script is activated only if the user has granted this optional permission. The extension's manifest has a "content_scripts": [{..., "matches": "url"}] that triggers a non-optional request for permission to read and change everything at that URL.
The documentation on option permissions does not mention content scripts. And the documentation for RequestContentScript still says it is not available in stable builds.
Is there a way to do this?
You can use Firefox' browser.contentScripts.register() API and its Chrome polyfill to register new content scripts dynamically. In Chrome 96+ there's also chrome.scripting.registerContentScript, which does something similar.
You'll also have to watch for new permissions and register the scripts on the new hosts.
The module webext-dynamic-content-scripts takes care of all of this.
Originally posted this question here:
https://groups.google.com/a/chromium.org/d/msg/chromium-extensions/wbSpXvnO10A/nov36skmnQ0J
My extension has an optional feature that interacts with the user's gmail tab. We don't want to mention mail.google.com domains at all in the permission confirmation that the user sees when first installing the extension. So I moved that entry out of the manifest's permissions block and into the optional_permissions block. We also needed to use a content script tied to mail.google.com, but defining this in the manifest causes the 'mail.google.com' permission warning that is sppoking some users.
I've tried removing the content_script manifest block and using Programmatic Injection instead as describe here. http://developer.chrome.com/extensions/content_scripts.html#pi
However scripts injected that way are not content scripts and don't have access to the needed APIs (chrome.tabs, etc)
Is there some way to get the best of both worlds: use optional_permission, AND get the content scripts added to a matching URL, but only if the user has approved the optional permission?
It seems like you could create a background page, and call chrome.tabs.query against your optional origin to get a list of tabs that match that host. You can then call programmatic injection to the content script (chrome.tabs.executeScript). None of these require the "tabs" permission (many "tabs" functions don't require any special permission, and it intelligently lets you query for tabs whose origins match your optional permission)
You could call this every second or so to see if there are any new tabs for which you haven't yet called executeScript.
It would be nice if this were edge-triggered. See https://code.google.com/p/chromium/issues/detail?id=264704
You can actually get it to be mostly edge triggered by using chrome.tabs.onUpdated.addListener and simply trying to inject every time that is triggered (which will be every time a page loads in any tab, regardless of whether you have permission or not). You'll get a lot of errors in the background script's console when you don't have permission. It will be important to have your content script set a variable like _I_already_executed=true and check for its existence so that you're not injecting multiple times (this event gets triggered several times for each page load)
Now there's the contentScripts.register() API, which lets you programmatically register content scripts.
browser.contentScripts.register({
matches: ['https://mail.google.com/*'],
js: [{file: 'content.js'}]
});
This API is only available in Firefox but there's a Chrome polyfill you can use. The new scripts will work exactly like your regular content scripts in manifest.json.
For a more comprehensive solution you could look into my webext-domain-permission-toggle and webext-dynamic-content-scripts modules, which don't apply directly to your use case but can be helpful to who wants to drop the <all_urls> permission and inject content scripts on demand.
I'm writing an extension that needs to show a page action on amazon.com pages.
Would it be better to request the "tabs" permission or to inject a content script into amazon.com pages?
The tabs permission strikes me as using less resources (because it just checks the URL against a regex in the background script) but I think it's a scarier permission message ("access your tabs and browsing activity")?
Injecting a content script into amazon.com pages seems like it would take more resources it but would only need permission to amazon.com...
It is a generic question and answer depends on Client to Client. You have pointed out the + and - of each.
I suggest you to go for content scripts if your clients are particular about security and privacy, in this you are adding an extra load to pages(with content scripts and message passing) which may slow down the normal execution process.
I suggest you to go for tab permission, if you are all about performance. It is a native API, and executes in background page no extra load on tabs. Many extensions on web store does use tabs API, i dont think this would scare them as this is not new.
However, it is all about your target section of users.
I'm writing a chrome extension and I want to take a screenshot of the tab in which the extension is running. The extension url is like "chrome-extension://abcde". Everything works if I include "tabs" and "<all_urls>" in my list of permissions, but I don't really want to ask for the <all_urls> permission.
I tried adding "chrome-extension://abcde" to permissions instead of <all_urls> and I get the error "You do not have permission to use 'tabs.captureVisibleTab'. Be sure to declare in your manifest what permissions you need."
How can I solve this?
You should specify the hosts you want to be able to capture in the permissions. Now you've set it to your own Extension ID so that's why it's probably not working.
captureVisibleTab - Captures the visible area of the currently active tab in the specified window. You must have host permission for the URL displayed by the tab.
http://code.google.com/chrome/extensions/tabs.html