MV3: tabs permission: what API calls need it

145 views
Skip to first unread message

werehamster

unread,
Feb 8, 2023, 2:16:56 PM2/8/23
to Chromium Extensions
Hi All,

Just got a Purple Potassium threat from the Chrome webstore because I used the "tabs" permission in my manifest.json file.

I use the following tabs API calls in my extension:
* chrome.tabs.onActivated
* chrome.tabs.query
* chrome.tabs.create

My question is: What chrome.tabs APIs methods and/or events require the "tabs" permission. I cannot find any documentation that gives me a definitive list. The best I can find is this:

> Most features do not require any permissions to use. For example: creating a new tab, reloading a tab, navigating to another URL, etc. (from https://developer.chrome.com/docs/extensions/reference/tabs/#perms)

Which is hardly helpful. 

Can anyone point me to the actual list of features that require the tabs permission.

Thanks in advance.




Sebastian Benz

unread,
Feb 8, 2023, 2:30:27 PM2/8/23
to werehamster, Chromium Extensions

The page you linked says you only need the permission when querying against url, pendingUrl, title or favIconUrl:

The "tabs" permission
This permission does not give access to the chrome.tabs namespace. Instead, it grants an extension the ability to call tabs.query() against four sensitive properties on tabs.Tab instances: urlpendingUrltitle, and favIconUrl.



--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/e1639979-70aa-4d96-bad5-0d568024443bn%40chromium.org.

Dr. Sebastian Benz

Developer Programs Engineer

sb...@google.com


Google Germany GmbH

Erika-Mann-Straße 33

80636 München


Geschäftsführer: Paul Manicle, Liana Sebastian

Registergericht und -nummer: Hamburg, HRB 86891

Sitz der Gesellschaft: Hamburg


Diese E-Mail ist vertraulich. Falls Sie diese fälschlicherweise erhalten haben sollten, leiten Sie diese bitte nicht an jemand anderes weiter, löschen Sie alle Kopien und Anhänge davon und lassen Sie mich bitte wissen, dass die E-Mail an die falsche Person gesendet wurde. 

     

This e-mail is confidential. If you received this communication by mistake, please don't forward it to anyone else, please erase all copies and attachments, and please let me know that it has gone to the wrong person.


werehamster

unread,
Feb 8, 2023, 2:42:04 PM2/8/23
to Chromium Extensions, sb...@google.com, Chromium Extensions, werehamster
So, just to be clear.
 
I can call any chrome.tabs.* function and it will not require the "tabs" permission. 
However, if I call chrome.tabs.query() and use any of the four arguments listed above (url, pendingUrl, title, and favIconUrl) then I do need the tabs permission.

So the statement "Most features do not require any permissions to use." Is not correct. You can in fact use any chrome.tabs.* feature without the tabs permission (but one feature will fail if passed certain arguments).

If that is the case, then why is it called "tabs" permission, surely it should be "tabs-extended-query" permission or something. All other permission work by granting you access to a given chrome.* namespace.

wOxxOm

unread,
Feb 8, 2023, 5:37:11 PM2/8/23
to Chromium Extensions, werehamster, sb...@google.com, Chromium Extensions
Note that you don't need this permission for those tabs that contain sites covered by your host_permissions in manifest.json or to the active tab's url in case you have `activeTab` permission and the extension was explicitly invoked by the user in this tab.

>  why is it called "tabs" permission

It's probably a legacy artifact as this is one of the first permissions. The extensions platform in Chrome has quite a few of them, e.g. the terrible way of returning a response asynchronously to chrome.runtime.onMessage which still doesn't accept a Promise and `async` declaration of the listener and instead requires `return true` and `sendResponse` callback.

>  it should be "tabs-extended-query

Yeah, something like that might make sense. You can suggest the idea at https://crbug.com.

Robbi

unread,
Feb 9, 2023, 5:19:10 AM2/9/23
to Chromium Extensions, wOxxOm, werehamster, sb...@google.com, Chromium Extensions
> Note that you don't need this permission for those tabs that contain sites covered by your host_permissions in manifest.json
Hi @wOxxOm, since when is this like this?
I know there is a bug report where this feature was requested.

wOxxOm

unread,
Feb 9, 2023, 5:27:39 AM2/9/23
to Chromium Extensions, Robbi, wOxxOm, werehamster, sb...@google.com, Chromium Extensions
Apparently it always worked like this. The bug you've linked is an edge case for own origin not for normal host permissions.

Robbi

unread,
Feb 9, 2023, 5:37:21 AM2/9/23
to Chromium Extensions, wOxxOm, Robbi, werehamster, sb...@google.com, Chromium Extensions
Iindeed, I remember well that to retrieve the pages of the extension I used tabs.query('url': chrome.runtime.getURL('') + '*') and I had to add the "tabs" permission in the manifest otherwise the query returned a empty array.
Now I did a test, I removed the "tabs" permission and this time the query returns a non-empty array.
I mean maybe it wouldn't always seem like this.

Robbi

unread,
Feb 9, 2023, 5:40:38 AM2/9/23
to Chromium Extensions, Robbi, wOxxOm, werehamster, sb...@google.com, Chromium Extensions
Ok it is an edge case, but it seems that bug is been fixed. I'm wrong?

Robbi

unread,
Feb 9, 2023, 5:56:37 AM2/9/23
to Chromium Extensions, Robbi, wOxxOm, werehamster, sb...@google.com, Chromium Extensions
Forget it, I was wrong.
I took off the "tabs" permission but I also had "activeTab" in the manifest, so the array wasn't empty.
The bug report ( mostly a feature request ) is rightfully still open.
Reply all
Reply to author
Forward
0 new messages