'tabs' permission in chrome extensons

[Ritik Roongta]

Hi,

I am studying certain class of adblocking chrome extensions which require a lot of permissions. Almost all of them ask for the 'tabs' permission. As per the chrome documentation, you only need 'tabs' permission in 4 cases i.e. url, pendingUrl, title, and favIconUrl but none of the extensions seem to use these properties.

Is there any discrepancy in the documentation or this is a case of violation of principle of least privilege?

[wOxxOm]

Most code violates some principle or another, so it's quite possible those extensions do as well, but it's also possible you've made a mistake, so it'd be more reliable if you link an extension in question and we look at its code.

[Deco]

No this is normal behaviour - adblock extensions require the ability to track when a URL redirection is performed on a current tab, or new tab, in order to intercept and block the defined host accordingly. They also require it in order to analyse the DOM elements on a page for advertisements which cannot be blocked by a defined host.

Cheers,
Deco

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/a1b5f421-9bf2-4fe2-8651-073fabce6b00n%40chromium.org.

[Simeon Vincent]

They also require it in order to analyse the DOM elements on a page for advertisements which cannot be blocked by a defined host.

The tabs permission does not grant access to the contents of a page; that requires host permissions.

Simeon - @dotproto

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CABcX4Ud_%3Dp6NRi_%3DbfqkBvE17EUtMWYX7-aTj5e4sLw9O1FRPQ%40mail.gmail.com.

[Ritik Roongta]

@w0xx0m sure. For example, if I look at the code of ublock Origin (https://github.com/gorhill/uBlock/), I cannot find the usage of the 4 functions as per the chrome documentation but uBlock requests for `tabs` permission. Is it interesting to note that they shifted to `activeTab` permission in MV3.

@Deco I think blocking the malicious URL redirection is handled by webNavigation and webRequest permissions. Please correct me otherwise.

[wOxxOm]

There are many usages of a tab's `url` in the source code you've linked, so I guess you didn't look closely. Note that their ManifestV3 version implements only a subset of the ManifestV2 extension because ManifestV3 doesn't implement any means for intelligent ad-blocking, for which uBlock is known for.

[Ritik Roongta]

I see. I was grepping with "tabs.url" instead of "tab.url". Thanks for the correction.

Also, the other permission I am curious about is <all_urls>. As per this SO link - https://stackoverflow.com/questions/16096482/what-does-http-https-and-all-urls-mean-in-the-context-of-ch,  it says that <all_urls> support file:// and ftp:// extensions in addition to http*. I believe firefox completely deprecated the support for ftp extension in around 2021 and I haven't come across any dynamic websites using file:// extensions. Even if there are, they shouldn't need adblocking support as they would be static. Would like to hear your views on it.

[wOxxOm]

It's up to the extension developer which URL schemes to support. It's not like there's a law against using a content blocker on a file:// URL.

[Ritik Roongta]

But is there any relevant use case that you can think of?

[wOxxOm]

I don't know. Just because I can't think of any right now doesn't mean there's none.

[wOxxOm]

Although in case of uBlock, it may be to allow cosmetic blocking of DOM elements in file:// pages.

[Ritik Roongta]

I see. Thanks a lot.