Extensions disabled after update

[nem...@readcube.com]

Hi,

our users are reporting that after the latest update extension is being disabled for them with the message:

"The newest version of "extension_name" has beed disabled because it requires more permissions.

Only issue is we never changed any permission before latest update. 

Is that something that comes with some of the latest Chrome updates or what could be the issue?

[Cuyler Stuwe]

Did you change the match pattern for sites that your content scripts inject to? Anything like that?

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/9d104aec-b91d-47a5-828b-7012e3b1f342n%40chromium.org.

[nem...@readcube.com]

Yes I did. Does that also counts as permission change? Was that always like that or is that something introduced by Chrome lately?

Also, why does it then says "It can now: Read and change all your data on all websites" when we explicitly have lists of sites that we inject to, we do not use <all_urls> or anything simillar.

[Cuyler Stuwe]

Yes, a change of the range of sites your extension works on/with counts.

For the other thing: I have no idea without looking at your before/after, but I’m guessing you’re using wildcards.

[馮韋元]

Two tips for ensuring a safe update:

- Using Iron browser to simulate the update process before pushing the update to the chrome store - A useful thread here: https://groups.google.com/a/chromium.org/g/chromium-extensions/c/hJt82E8hgHs

- Pushing the update to only a 1% bucket (if your user base is big enough, you have a bucket feature available), and verifying yourself by creating a new chrome profile, installing the production extension and then force-updating the extension once the update is approved. If you notice a problem on the way, you can push a fix before users get the update.

By doing those steps it helps a lot ensuring the extension update works well before the real users get the update.

Regards,

Francois

[馮韋元]

This scenario has affected a lot of extension developers over the years and I think that the chrome store should really implement a small UI feature to let the developer know they have added a setting in the manifest file which is considered as a permission. 

Any chance to add this to the Chrome store task backlog? (CC Simeon)

Thanks,

Francois

[Simeon Vincent]

Alas, I'm no longer with Google. Tagging in Oliver as he's keeping an eye out around here.

Simeon - @dotproto

On Tue, Mar 14, 2023 at 1:49 PM nem...@readcube.com <nem...@readcube.com> wrote:

We added something like this:

"*://*.amazonaws.com/*",

and all other permissions are like that, domain is always defined explicitly, so I don't know how is that "on all websites"

and besides explicitly defined domains these are other permission we use:

    "tabs",
    "storage",
    "activeTab",
    "cookies",

but those haven't changed in forever

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/1e808772-c582-44fa-a9c4-79f2f5bb97f3n%40chromium.org.

[Oliver Dunk]

Is this the ReadCube Papers extension? Taking a quick look at the permissions, I notice "*://*.go.jp/*". This would likely be enough to cause the "all sites" message, since based on a quick look we seem to show that if any of the host permissions are for all sites on a given eTLD (defined based on https://publicsuffix.org/list/).

I'm not immediately sure why you would see this permission prompt if you were already requesting this permission in a previous version. Would you be comfortable sharing the new host permissions you added in the latest release?

I'll definitely pass on the feedback around highlighting this in the Chrome Web Store.

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

[Oliver Dunk]

Hi,

It looks like you deleted your messages? I'm not sure what happened if that isn't the case.

Removing .go.jp would definitely get you closer at least. It's hard to say if it'll change the permission message without checking each host permission you're requesting individually.

Following the steps here should allow you to test: https://developer.chrome.com/docs/extensions/mv3/permission_warnings/#view_warnings

Let me know how you get on.

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

On Thu, Mar 16, 2023 at 10:58 AM nem...@readcube.com <nem...@readcube.com> wrote:

yes it is :)

I see now, we were probably not aware at the time that .go.jp is eTLD. We can definitely remove this, is that going to help?

But as you said, that is the added long ago, and I don't know why latest change caused extension to be disabled for our users.

Here is latest change in manifest, we changed version and added those:

    "*://*.hsforum.com/*",
    "*://*.actamedicamediterranea.com/*",
    "*://*.embase.com/*",
    "*://*.scifinder.org/*",