publishing delayed - Broad host permissions

[Richard Bernstein]

I am getting a message when I try to publish:

Instead of requesting broad host permissions or content script site matches, consider specifying the sites that your extension needs access to, or use the activeTab permission. Both options are more secure than allowing full access to an indeterminate number of sites, and may help minimize review times.

The activeTab permission allows access to a tab in response to an explicit user gesture.

{
...
"permissions": ["activeTab"]

My actual manifest is:

 "permissions": [

    "activeTab",

    "identity",

    "identity.email",

"https://www.rdsubstantiation.com/sub_crud/*.*",

"https://www.rdsubstantiation.com/sub_crud/register/*",

"https://www.rdsubstantiation.com/sub_crud/Subit_backend/*",

"geolocation",

"storage",

"tabs"

  ],

As you can see I already have activeTab. The rdsubstantiation.com is my server. So that only leaves identity, identity.email (I use these to identify the user), geolocation (I took this out), storage (I am saving some stuff in local cookies), and tabs. Can anyone tell me which is exactly causing the issue? 

[Simeon Vincent]

Do you have content any scripts? As noted in the error message, your "content_scripts" can also affect reviews Specifically, the "matches" field for a content script.

If your extension is invoked by a user action (e.g. the "activeTab"or "contextMenus" permissions) then you can inject your content script in the appropriate callback function via "chrome.tabs.executeScript". Note that you do not need the "tabs" permission to use this API.

Simeon

Chrome Developer Advocate

[Richard Bernstein]

Simeon. there are actually no content scripts. It consists soley of a popup script (actually more than one) and a background script. The user opens the popup and presses login which then(after some authentication) connects them with my backend at rdsubstantiation.com. The back end then populates the pulldown via XMLHTTP. So that is the crux of the communication; it is really between the popup/background and my server. The user can then record the information that they want from the popup by sending it to my backend. My backend then talks with AWS for archiving data but that is another story. The next part I will add (I am setting up a development PC for it now) will allow the user to capture any of the open tabs in the browser and associate that data with their account on my system. The user will be in total control of what gets captured and what account to associate it with.  The person doing this image capture is an administrator and I am hoping to be able to allow the user to initiate an Extension popup from my server app which will be in one of the tabs. That is the main reason i am thinking that asking their OK on a tab by tab basis is a clunky solution. They are in total charge and will need to open the tab that they want to copy and then press the "snapshot" button to get a copy of it anyway. They will then need to tell us what to associate it with. 

So the bottom line, I'd prefer to only remove things from permissions that are causing major issues. I guess I can remove geolocation (although knowing the country of the user is important)  and the "tab" since it will only act on the active tab anyway. Will removing "tab" solve my broad host permissions issue?

[Simeon Vincent]

Ah, I should have mentioned the "tabs" permission before. That permission is powerful: it gives you extension the ability to read the URLs and page titles of all open tabs (save for incognito). Needless to say, this is sensitive data that a user may not want exposed or broadly shared.

Based on your description, though, it sounds like the "tabs" permissions is core to your functionality as without it you can't access the tab data you need. Unfortunately, that means a more stringent review is a necessary part of the publishing process.

Simeon

Chrome Developer Advocate

[Richard Bernstein]

Simeon, I thought I solved this issue but maybe not? I got rid of "tabs". Here is what I have now:

 "permissions": [

    "activeTab",

    "identity",

    "identity.email",

"https://www.rdsubstantiation.com/sub_crud/*.*",

"https://www.rdsubstantiation.com/sub_crud/register/*",

"https://www.rdsubstantiation.com/sub_crud/Subit_backend/*",

"storage",

"geolocation"

  ],

 I am still getting this error when i try to publish:

Publishing will be delayed

Because of the following issue, your extension may require an in-depth review:

- Broad host permissions

Instead of requesting broad host permissions or content script site matches, consider specifying the sites that your extension needs access to, or use the activeTab permission. Both options are more secure than allowing full access to an indeterminate number of sites, and may help minimize review times.

The activeTab permission allows access to a tab in response to an explicit user gesture.

{
...

Is there anything also in that [permissions] that would cause the issue? Do I need to remove activeTab too?

[Richard Bernstein]

Well I determined that this has nothing to do with permissions. I removed all the permissions

  "permissions": [

  ],

and I get the same error! 

[Richard Bernstein]

Never mind. I found it. It was a content script, as you originally thought. thx

--
You received this message because you are subscribed to a topic in the Google Groups "Chromium Extensions" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/chromium-extensions/S1_uqpDFVzY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at https://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/67c093b9-24dd-4ac9-9f8a-ac4648ef7f2b%40chromium.org.
For more options, visit https://groups.google.com/a/chromium.org/d/optout.

[Daniel Glazman]

> Le 28 janv. 2019 à 19:34, Simeon Vincent <sim...@chromium.org> a écrit :
>
> Ah, I should have mentioned the "tabs" permission before. That permission is powerful: it gives you extension the ability to read the URLs and page titles of all open tabs (save for incognito). Needless to say, this is sensitive data that a user may not want exposed or broadly shared.

Well. How is that more dangerous than a code injection in each tab and frame that reports |document.location.href| to the background through a message?

I disagree with the statement above; browser extensions are a careful balance between innovation power and restrictions because of some bad guys. If we increase the latter, it can harm the former. And we have now multiple examples of perfectly "clean" extensions that are harmed by the extensive review on "tabs" permission.

</Daniel>

[Simeon Vincent]

How is that more dangerous than a code injection in each tab

Apologies for my confusing phrasing. It's not more dangerous and I didn't mean to give that impression. I was attempting to describe why "tabs" might trigger that warning. Regardless, as Richard found, the warning wasn't being triggered by tabs but rather content script injection. 

Simeon - @dotproto

Extensions Developer Advocate

On Sunday, February 3, 2019 at 3:33:30 AM UTC-8, Daniel Glazman wrote:

[Simeon Vincent]

Oh shoot, I just necrod a thread 'cause I'm at scrolling. Apologies, all.