Since my extension was upgraded from Manifest V2 to V3, the webRequest permissions I was using before are now changed to declarativeNetRequest permissions.
The browser prompts the user that my extension requests a new permission:
Block pages on any site you access.
This is a very serious warning, many users stopped using my extension, and even thought I violated their privacy, calling on others to report my extension.
But in fact, my extension only runs on 2 websites:
-
pixiv.net-
pixivision.netI use the declarativeNetRequest permission to do only one thing: add Access-Control-Allow-Origin header to the image requests of
pximg.net and
pixiv.cat to solve the cross-domain problem when loading images with JS.
{
"id": 1,
"priority": 1,
"action": {
"type": "modifyHeaders",
"responseHeaders": [
{
"header": "Access-Control-Allow-Origin",
"operation": "set",
"value": "*"
}
]
},
"condition": {
"urlFilter": "||
pximg.net",
"resourceTypes": ["xmlhttprequest", "image"]
}
I noticed that when installing the extension, the browser prompts for host permissions to "read and change your data on some sites" and has a "show details" button that lists all hosts.
Why doesn't the declarativeNetRequest permission do this? I think for an extension that uses limited host permissions, it should only show those hosts, not "all sites".
"All sites" is a misleading term for users who don't understand the technical details. And it would hurt the developers because I was wronged.