Extension did not disable on extending permissions

Skip to first unread message


Jan 14, 2021, 1:07:48 PMJan 14
to Chromium Extensions
Was there a change in what permission warnings get displayed after an update?
I had an extension with these permissions:

And I changed the permissions to the photo below:permissions-2.png

That is, I changed "http://*/*" and "https://*/*" into "<all_urls>" AND I added "<all_urls>" into "permissions", so that I can use these hosts with webRequest (as it's not possible if the host is only in the content script).
I expected that when my extension updates, it will get disabled. For 2 reasons - because of extending to "<all_urls>" and also because of adding the host to "permissions", but nothing happened. The extension updated silently. I'm pretty sure that such behaviour is new. Am I missing something?

Alexei Miagkov

Jan 14, 2021, 2:12:30 PMJan 14
to Pteppicymon, Chromium Extensions
I think this is expected behavior as your extension essentially has the same (highest level possible) privileges as before. It's not worth bothering users that an extension that used to be able to do anything on all http and https pages can now do anything on all schemes and pages (http, https, web sockets, etc.).

You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/bf084a0c-bc50-4349-976b-a9acc26d632en%40chromium.org.


Jan 15, 2021, 2:53:43 AMJan 15
to Chromium Extensions, Alex
Oh. Really? I thought they would have to warn users. Also, I could have sworn that if you add the host from content script to permissions you get a warning. Maybe some other factors were at play when it happened to me last time.


Jan 22, 2021, 5:19:52 PMJan 22
to Chromium Extensions, yougotmebeggi...@gmail.com, Alex
I think this is the piece of code responsible for considering the "http://*/*" and "https://*/*" permissions as effectively asking for access to all urls:
Complementing what @Alex said (I completely agree with you btw!), I think this behavior is fine from the point of view of users: Chrome prompts users to accept the "Read and change all your data on the websites you visit" (pseudo-)permission in both cases, so it is consistent.

Another thing we could debate is whether more granularity in the permission prompt is desired, but I think this simplification is good so users don't get confused (I think it's better for the prompt to ask for permissions to "all your data on the websites you visit" rather than ask for access to "http://*/*" and "https://*/*", which is pretty technical and most users wouldn't understand that).

Cheers :-)
Reply all
Reply to author
0 new messages