Clarification on Permission Warnings for "Sheets Image Exporter" Extension
72 views
Skip to first unread message
Bob Dylan
Jun 9, 2025, 4:52:29 AMJun 9
to Chromium Extensions
I am the developer of the "Sheets Image Exporter" Chrome extension (ID: infelhpemoennpbejdfpfailfackhnf). During installation, users encounter permission warnings that seem inaccurate, and I need assistance to understand and potentially mitigate them.
Manifest details:
- `host_permissions`: ["https://docs.google.com/*", "https://www.googleapis.com/*", "https://accounts.google.com/*"]
- `permissions`: ["activeTab", "storage", "identity", "windows", "downloads"]
- `oauth2` scope: ["https://www.googleapis.com/auth/drive.file"]
Issues:
1. **"Read your browsing history"**: The manifest does not include the `history` permission, only `activeTab`. According to the documentation, `activeTab` provides temporary access to the active tab's URL, title, and content, but not browsing history. This warning is misleading.
2. **"Read and change your data on all google.com sites"**: The extension reads DOM data from Google Sheets for image extraction and saves to Google Drive. It does not access subdomains like mail.google.com or maps.google.com. The broad "all google.com sites" phrasing is inaccurate.
3. **"Read and change your data on accounts.google.com"**: This is used only for OAuth2 authentication to access Google Drive and does not modify user data (e.g., name, payment details).
I tested the extension using the Extension Update Testing Tool, but the warnings persist. Could you please:
- Explain why these warnings appear despite the manifest's limited scope?
- Suggest ways to adjust the manifest or implementation to make warnings more accurate (e.g., using `optional_permissions`)?
- Provide guidance on avoiding the "Read your browsing history" warning given the absence of `history` permission?
Any insights or recommendations would be greatly appreciated. Thank you!
Best regards,
Boris
Manifest details:
- `host_permissions`: ["https://docs.google.com/*", "https://www.googleapis.com/*", "https://accounts.google.com/*"]
- `permissions`: ["activeTab", "storage", "identity", "windows", "downloads"]
- `oauth2` scope: ["https://www.googleapis.com/auth/drive.file"]
Issues:
1. **"Read your browsing history"**: The manifest does not include the `history` permission, only `activeTab`. According to the documentation, `activeTab` provides temporary access to the active tab's URL, title, and content, but not browsing history. This warning is misleading.
2. **"Read and change your data on all google.com sites"**: The extension reads DOM data from Google Sheets for image extraction and saves to Google Drive. It does not access subdomains like mail.google.com or maps.google.com. The broad "all google.com sites" phrasing is inaccurate.
3. **"Read and change your data on accounts.google.com"**: This is used only for OAuth2 authentication to access Google Drive and does not modify user data (e.g., name, payment details).
I tested the extension using the Extension Update Testing Tool, but the warnings persist. Could you please:
- Explain why these warnings appear despite the manifest's limited scope?
- Suggest ways to adjust the manifest or implementation to make warnings more accurate (e.g., using `optional_permissions`)?
- Provide guidance on avoiding the "Read your browsing history" warning given the absence of `history` permission?
Any insights or recommendations would be greatly appreciated. Thank you!
Best regards,
Boris
Bob Dylan
Jun 9, 2025, 5:10:00 AMJun 9
to Chromium Extensions, Bob Dylan
I figured out "Read your browsing history". It's because of "windows". I noticed that it disappeared from the documentation, now there is only this:
"tabs"
Gives access to privileged fields of the Tab objects used by several APIs, including chrome.tabs and chrome.windows. You usually don't need to declare this permission to use those APIs.
Warning displayed: Read your browsing history."
Removed "windows" and the warning disappeared.
"tabs"
Gives access to privileged fields of the Tab objects used by several APIs, including chrome.tabs and chrome.windows. You usually don't need to declare this permission to use those APIs.
Warning displayed: Read your browsing history."
Removed "windows" and the warning disappeared.
Bob Dylan
Jun 9, 2025, 5:16:47 AMJun 9
to Chromium Extensions, Bob Dylan
I also figured out "Read and change your data on all google.com sites". I didn't like this "all". It's really simple, because of the "*", and not in "host_permissions", but in "matches". I removed "https://*.google.com/spreadsheets/*", and the warning disappeared.
Reply all
Reply to author
Forward
0 new messages