Extension did not disable on extending permissions
64 views
Skip to first unread message
Pteppicymon
Jan 14, 2021, 1:07:48 PM1/14/21
to Chromium Extensions
Was there a change in what permission warnings get displayed after an update?
I had an extension with these permissions:
And I changed the permissions to the photo below:
That is, I changed "http://*/*" and "https://*/*" into "<all_urls>" AND I added "<all_urls>" into "permissions", so that I can use these hosts with webRequest (as it's not possible if the host is only in the content script).
I expected that when my extension updates, it will get disabled. For 2 reasons - because of extending to "<all_urls>" and also because of adding the host to "permissions", but nothing happened. The extension updated silently. I'm pretty sure that such behaviour is new. Am I missing something?
I expected that when my extension updates, it will get disabled. For 2 reasons - because of extending to "<all_urls>" and also because of adding the host to "permissions", but nothing happened. The extension updated silently. I'm pretty sure that such behaviour is new. Am I missing something?
Alexei Miagkov
Jan 14, 2021, 2:12:30 PM1/14/21
to Pteppicymon, Chromium Extensions
I think this is expected behavior as your extension essentially has the same (highest level possible) privileges as before. It's not worth bothering users that an extension that used to be able to do anything on all http and https pages can now do anything on all schemes and pages (http, https, web sockets, etc.).
--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/bf084a0c-bc50-4349-976b-a9acc26d632en%40chromium.org.
Pteppicymon
Jan 15, 2021, 2:53:43 AM1/15/21
to Chromium Extensions, Alex
Oh. Really? I thought they would have to warn users. Also, I could have sworn that if you add the host from content script to permissions you get a warning. Maybe some other factors were at play when it happened to me last time.
avm99963
Jan 22, 2021, 5:19:52 PM1/22/21
to Chromium Extensions, yougotmebeggi...@gmail.com, Alex
I think this is the piece of code responsible for considering the "http://*/*" and "https://*/*" permissions as effectively asking for access to all urls:
And that function is called from here:
Complementing what @Alex said (I completely agree with you btw!), I think this behavior is fine from the point of view of users: Chrome prompts users to accept the "Read and change all your data on the websites you visit" (pseudo-)permission in both cases, so it is consistent.
Another thing we could debate is whether more granularity in the permission prompt is desired, but I think this simplification is good so users don't get confused (I think it's better for the prompt to ask for permissions to "all your data on the websites you visit" rather than ask for access to "http://*/*" and "https://*/*", which is pretty technical and most users wouldn't understand that).
Cheers :-)
Reply all
Reply to author
Forward
0 new messages