Optimize the prompt of declarativeNetRequest permission
120 views
Skip to first unread message
唐雪见
Dec 30, 2022, 6:00:36 AM12/30/22
to Chromium Extensions
Since my extension was upgraded from Manifest V2 to V3, the webRequest permissions I was using before are now changed to declarativeNetRequest permissions.
The browser prompts the user that my extension requests a new permission:
Block pages on any site you access.
This is a very serious warning, many users stopped using my extension, and even thought I violated their privacy, calling on others to report my extension.
But in fact, my extension only runs on 2 websites:
-pixiv.net
-pixivision.net
I use the declarativeNetRequest permission to do only one thing: add Access-Control-Allow-Origin header to the image requests of pximg.net and pixiv.cat to solve the cross-domain problem when loading images with JS.
{
"id": 1,
"priority": 1,
"action": {
"type": "modifyHeaders",
"responseHeaders": [
{
"header": "Access-Control-Allow-Origin",
"operation": "set",
"value": "*"
}
]
},
"condition": {
"urlFilter": "||pximg.net",
"resourceTypes": ["xmlhttprequest", "image"]
}
I noticed that when installing the extension, the browser prompts for host permissions to "read and change your data on some sites" and has a "show details" button that lists all hosts.
Why doesn't the declarativeNetRequest permission do this? I think for an extension that uses limited host permissions, it should only show those hosts, not "all sites".
"All sites" is a misleading term for users who don't understand the technical details. And it would hurt the developers because I was wronged.
The browser prompts the user that my extension requests a new permission:
Block pages on any site you access.
This is a very serious warning, many users stopped using my extension, and even thought I violated their privacy, calling on others to report my extension.
But in fact, my extension only runs on 2 websites:
-pixiv.net
-pixivision.net
I use the declarativeNetRequest permission to do only one thing: add Access-Control-Allow-Origin header to the image requests of pximg.net and pixiv.cat to solve the cross-domain problem when loading images with JS.
{
"id": 1,
"priority": 1,
"action": {
"type": "modifyHeaders",
"responseHeaders": [
{
"header": "Access-Control-Allow-Origin",
"operation": "set",
"value": "*"
}
]
},
"condition": {
"urlFilter": "||pximg.net",
"resourceTypes": ["xmlhttprequest", "image"]
}
I noticed that when installing the extension, the browser prompts for host permissions to "read and change your data on some sites" and has a "show details" button that lists all hosts.
Why doesn't the declarativeNetRequest permission do this? I think for an extension that uses limited host permissions, it should only show those hosts, not "all sites".
"All sites" is a misleading term for users who don't understand the technical details. And it would hurt the developers because I was wronged.
Jackie Han
Dec 30, 2022, 8:37:46 AM12/30/22
to 唐雪见, Chromium Extensions
There has been some discussion about this in the past
It seems that you should use "declarativeNetRequestWithHostAccess" permission instead of "declarativeNetRequest" permission.
--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/f9a0ba89-9fe6-43dc-9cdb-5ea59a41de99n%40chromium.org.
唐雪见
Dec 30, 2022, 10:06:04 AM12/30/22
to Chromium Extensions, Jackie Han, Chromium Extensions, 唐雪见
thank you! I hadn't noticed declarativeNetRequestWithHostAccess before, it seems more secure and doesn't show a prompt.
Reply all
Reply to author
Forward
0 new messages