activeTab appears to work differently in Chrome and Firefox

[Rob H]

Hi, if your extension has been rejected for "use of permissions" and you use "activeTab", try removing that permission and check to see if your extension still works with Chrome. If so, you might need a separate manifest where you request the permission in Firefox but not in Chrome.

My code grabs the current tab's URL when the browser action (popup) is clicked, and I thought activeTab was required to read the URL. However, after removing the activeTab permission from Chrome's manifest, the code works fine! Firefox does still require this permission so you need to customize your manifest for each. (Here is a way to write custom manifests depending on browser/environment using webpack: webpack.config.js and package.json.)

Also here is the activeTab documentation from Chrome and the activeTab documentation from Mozilla. Maybe someone else can figure out what's going on.

I'm going to try resubmitting my extension without this permission. Hopefully it will be approved. I'm relieved to have an answer to the back and forth emails with the Chrome extensions review team. Most recently, they wrote:

Request access to the narrowest permissions necessary to implement your Product’s features or services. If more than one permission could be used to implement a feature, you must request those with the least access to data or functionality. For Instance : activeTab permission.

Previously, I was not told which permission was problematic and I had no idea where to start looking. This would have been a challenge to hunt down without a hint because I had no idea Chrome and Firefox implemented this permission differently. I only saw one allusion to it here. I guess the trick is to continue responding patiently to the rejection emails until you get a more detailed response.

[Chase Leslie]

If you only need to read the current tab URL, the tabs permission is probably the narrowest permission required. Both Firefox documentation and Chrome documentation specify tabs permission is needed to read tab.url. activeTab is more permissive, as it allows the extension to inject code. I just tested a minimal case, and it looks like Chrome allows reading tab.url if the host permissions are present without having either of activeTab or tabs permissions, while Firefox does not. I don't know whether this is a feature or a bug in Chrome, as the documentation about tab.url says (emphasis mine):

The last committed URL of the main frame of the tab. This property is only present if the extension's manifest includes the "tabs" permission and may be an empty string if the tab has not yet committed.

[PhistucK]

tabs is a very broad permission, do not use it unless you absolutely have to (compatibility with Firefox is not an acceptable reason, create a separate manifest for Firefox instead).

Yes, browserAction.onClicked (and I suppose pageAction.onClicked), activeTab, content scripts matches, host permissions and tabs (sort of in order of broadness, the last being the broadest) are ways to get tab.url (there might be more, I do not remember).

The rationale is that if you have access to a host in any way (permission/matches for example), there is no reason to hide tab.url from you, as you can simply execute a script there that will let the background/popup page know the URL. Plus, the permission confirmation box does not need to change, because it already tells the user that you are messing with those hosts.

The documentation is unfortunately outdated and Firefox either did not reverse engineer this detail, did not keep up with the changes, or explicitly chose not to implement this (too bad, because it makes sense, maybe file an issue with them).

Always choose the least amount of power required for your extension.

☆PhistucK

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/c690fb24-71ea-4d8d-8012-2a2ca79dfeac%40chromium.org.