Chrome Manifest v3 host permission is not a good idea

[Shridhar TL]

Hi,

I have been maintaining this extension since few years and I have a decent user base: https://chrome.google.com/webstore/detail/jira-assistant-worklog-sp/momjbjbjpbcbnepbgkkiaofkgimihbii

My extension may need to access any Jira sites and so far when using manifest v2 I have given all url permission as an option permission and requested for permission from user for specific site when accessing it.

But now with this new Manifest v3 change in picture, after upgrading to this latest manifest version, I had to move those from optional permissions to host permissions. With this change all the users are getting security warning and I am getting lots of mails.

I would like to continue to request this permission at run time so that user would be comfortable providing permission for required sites only. But with this new manifest upgrade this is causing big trouble and lots of users are really worried about this warning.

I believe as more extensions are migrated to latest manifest, they would start facing similar issues. Kindly let me know what could be the possible solution for this.

Here is a detailed description of the issue: https://github.com/shridhar-tl/jira-assistant/issues/213

[Jackie Han]

MV2: "permissions" + "optional_permissions"

MV3: "permissions" + "optional_permissions" + "host_permissions" + "optional_host_permissions"

"optional_host_permissions" is one of the most requested features for developers, and it is available in Chrome 102.

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/05090c83-f93e-4e69-aac5-52e11d79a43dn%40chromium.org.

[Shridhar TL]

Thank you for your reply. But I am already using latest version of chrome (102.x) and still " optional_host_permissions" is not working. Not sure what else I can try.

[Jackie Han]

In my test, "optional_host_permissions" in MV3 works in the same way in MV2. For example,

"optional_host_permissions": [
  "https://www.google.com/"
]

chrome.permissions.contains(
  {origins: ["https://www.google.com/"]},
  console.log,
)

  chrome.permissions.request(
    {origins: ["https://www.google.com/"]},
    console.log,
  )

[Shridhar TL]

Yes, I know about it and I already had this code in place. But what I did not know is, this code would work only if it is placed straight behind a user intraction. If it happens in background throught an automatic trigger, then this doesn't work. This could be a security feature I believe.

Any way thank you Jackie Han for your reply which gave me a clue to identify the issue. Now that I will have to ensure all my users upgrade to latest version of chrome so that I can make this change and the extension continues to work for them.

Thanks & Regards,

Shridhar

[Jackie Han]

You're welcome.

The document says "Permissions must be requested from inside a user gesture, like a button's click handler."

In my test, not only use a button in a foreground page, sendMessage from content script or extension page and click a contextMenu can also request permissions in background page/service worker, they are also treated as user gestures.

[Jackie Han]

Now that I will have to ensure all my users upgrade to latest version of chrome so that I can make this change and the extension continues to work for them.

You can add  "minimum_chrome_version": "102" in your manifest.json, which guarantees that only users who use chrome 102+ will upgrade your extension (less than 102 will not upgrade).

[Shridhar TL]

Great, that's good to know. Thank you again for this info.