Rejection of extension with error message: product violates the "Use of Permissions" section of the policy

[Shridhar TL]

Extension page: https://chrome.google.com/webstore/detail/jira-assistant/momjbjbjpbcbnepbgkkiaofkgimihbii

I am the developer for above extension named "Jira Assistant". I have it hosted in Webstore since more than 2 years. But from past couple of months, I have tried to publish updates multiple times and I keep getting rejection notice with below details after around 5-6 days.

"User Data Privacy"

Your product violates the "Use of Permissions" section of the policy, which requires that you:

• Request access to the narrowest permissions necessary to implement your product’s features or services.
• If more than one permission could be used to implement a feature, you must request those with the least access to data or functionality.
• Don't attempt to "future proof" your product by requesting a permission that might benefit services or features that have not yet been implemented.

I do comply with the above policy and still I keep getting it rejected and below is the permissions section from my manifest.json. 

Manifest JSON:

  "content_security_policy": "script-src 'self' ; object-src 'self';",

  "permissions": [

    "activeTab",

    "storage"

  ],

  "optional_permissions": [

    "unlimitedStorage",

    "identity",

    "tabs",

    "http://*/",

    "https://*/"

  ],

Why is such a generic mail being sent instead of pinpointing the exact permission causing the issue? I already removed multiple features to reduce the required permissions and moved few to optional permissions list and still it is getting rejected. Can someone please help me soon to solve this issue as since couple of months I keep getting 100's of mail everyday related to the current issue with extension and I will have to provide the fix soon.

Thank you in advance for your help!!

[Hr Gwea]

The "activeTab" permission is most likely the reason. That permission is very powerful and requires no user approval. If the user clicks on your extension's toolbar icon, your extension gets full access to the current tab, even more so than the <all_urls> permission.

So, you must provide a very good reason to request that permission, otherwise you'll get a rejection.

Specifically, you must explain why clicking on your extension's toolbar icon must grant you full access to the active tab.

[Shridhar TL]

Thank you very much for your reply. Below is the reason why I use activeTab permission:

1) I need to get the url of the site which is currently open when the user click on the Extension icon. That url will be auto filled in the form field in my extension for the user to integrate.

2) Proceeding forward, I will be calling the api from the site open in the active tab. Here I will not actually authenticate with that site. I will use the browsers authenticated session to give cross site request to that domain. This is well known to the users and more over this is one of the most liked feature of the extension as the users need not provide credentials within the extension and it can use the pre-authenticated session from browser.

Is this not accepted as a valid reason? Or do I have any other option to get the url of active tab when the user click on it?

Any help is much appreciated.

[Shridhar TL]

To add more details, please refer the following documentation from Google where it is suggested to use activeTab and this is more equivalent to my case. Also in this document it is mentioned that activeTab is much better than using tabs or <all_urls>. So I believe I followed the suggested approach only and that shouldn't be the reason for rejection.

https://developer.chrome.com/extensions/activeTab

[Alan Lawson]

It sounds like your problem is similar to one I am currently having. From the documentation:

From M72 onwards, the activeTab permission will be granted until the user navigates to a different origin. That is, if the user invokes the extension on https://example.com and then navigates to https://example.com/foo, the extension will continue to have access to the page. If the user navigates to https://chromium.org, access is revoked.

Perhaps I am not understanding it correctly but it sounds like activeTab is granted by default to the current tab at the time that the extension starts and there is no need to specify it. My problem is that my extension has persistent=true which means that the URL has changed many times before the user actually clicks the icon so the activeTab has already been revoked (I have verified this by testing my extension without the activeTab). I don't see the persistent option in your manifest so maybe that would not be a problem for you. It would be interesting to try it without the activeTab permission and see if it still works. Maybe someone can clarify this for us.

[Shridhar TL]

Thank you all for your suggestions. My issue got resolved. I had removed the activeTab permission (and of course the related functionalities as well) and also once again sent a mail to dev support. Couple of days later my extension got approved and got a reply stating my extension was reinstated. So I am not sure what has resolved this issue. But now it was solved. Later once my extension becomes stable from all the existing issues, I will add the permission and functionality back and retry to publish and see if that is the real reason.

[Alan Lawson]

That's good to hear that you got approved. Your extension is very impressive (and big!). Despite the Chrome Extension documentation, it seems they will not let any new extension use activeTab anymore even if it makes the extension total inoperable. I have been unable to get approval to use it for months now despite numerous detailed emails and videos and even some assistance from Simeon. It makes you wonder if something else is going on....

[Rob H]

it seems they will not let any new extension use activeTab anymore even if it makes the extension total inoperable

Wasn't the activeTab permission introduced in order to offer something less permissive than the tabs permission? See the comments on this SO answer:

Note: This no longer needs the tabs permission. If initiated by a click on the extension button, activeTab permission is sufficient. – Xan Aug 14 '14 at 8:19

  

tabs is such a heavy permission! Consider using: activeTab. – Константин Ван Jul 20 '16 at 12:53 

I am facing the "use of permissions" reason for rejection too (I have asked for clarification and it's only been a day for that rejection reason). I use the activeTab permission, but I find it hard to believe that reviewers are denying use of this permission without letting developers know.

If I am not able to use activeTab, I wonder how I can read the active tab's page URL. It would be huge if that were no longer allowed.

[Vanessa Dias]

 My extension is getting rejected due to "Use of Permissions".

Adding the content on the rejection email

Your item did not comply with the following section of our Program Policies:

"User Data Privacy"

Your product violates the "Use of Permissions" section of the policy, which requires that you:

• Request access to the narrowest permissions necessary to implement your product’s features or services.
• If more than one permission could be used to implement a feature, you must request those with the least access to data or functionality.
• Don't attempt to "future proof" your product by requesting a permission that might benefit services or features that have not yet been implemented.

 I've been wondering what permissions might have triggered the need for such a review.

 

For the functionality of my extension we requires user to login to gmail account to use the office tools i.e Google translate, Excel, Word, Power Point and more. 

For that reason, I've required the following permissions in the manifest:

tabs

Do I need to add another permission to my manifest file

My questions:

• What permissions I need to request to get my extension approved

The extension ID is ldbhojoiaggmgkjcepnmcebablbgpbfk

Thanks!

[Simeon Vincent]

Perhaps I am not understanding it correctly but it sounds like activeTab is granted by default to the current tab at the time that the extension starts and there is no need to specify it

This is not correct. It's saying that if you request the activeTab permission, the temporary permissions granted at invocation will persist until the user navigates to another domain. For example, you're on http://example.com and click the extension's action button you will be granted temporary host permissions for the site. If you were to click a link and navigate to http://example.com/subpath, you will still have host permissions on the freshly loaded page. The extension will continue to have host permissions until you navigate away from example.com.

Cheers,

Simeon - @dotproto

Extensions Developer Advocate

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/8051f3f1-b374-4f01-b627-c581a238c160%40chromium.org.

[Simeon Vincent]

Wasn't the activeTab permission introduced in order to offer something less permissive than the tabs permission?'

activeTab is more an alternative to static host permissions than tabs. I think the confusion here stems from the fact that host permissions grant an extension access to the data that tabs would expose – namely a Tab instance's url, title, favIcon, and pendingUrl properties. Note that you do not need tabs to call methods on the tabs API. Host permissions also do much more than that, but for the comment you linked that's all they needed to do. The thing is activeTab can do a lot of other, potentially dangerous stuff. If you're not actually using the capabilities it grants, you should not be requesting it. 

I saw in another thread that you mentioned ickfhlplfbipnfahjbeongebnmojbnhm. Assuming this is the same extension you're talking about in this thread, it looks like you were rejected for a SPAM violation, not Use of Permissions. I'm requesting a second opinion on your behalf now.

Cheers,

Simeon - @dotproto

Extensions Developer Advocate

--

You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/34ad5f05-242e-47f9-b6fd-5b22defc765e%40chromium.org.

[Rob H]

Yes that was part of my confusion, I did not know host permissions could give access to the tab URL or the tabs API.

Another point of confusion is that Firefox requires the activeTab permission even when access to the host is already granted. While that is not Chrome's fault, Chrome docs could write out how host permissions enable data in the tabs API (as you have done) in either the tabs API, the activeTab page, pages that talk about host permissions, or all of the above.

Googling for "page url chrome extension" leads to all kinds of answers suggesting tabs or activeTab.

Thanks for your help and your efforts here. I'm all set now and hope to have better interactions down the road.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsub...@chromium.org.