"publishing delayed - Broad host permissions" warning even if content script is not executed on all pages

[Vaibhav Nigam]

Whenever I try to publish a new update to my Chrome extension, I get a warning "publishing delayed - Broad host permissions". And I have to wait for 4-5 days to get it actually published. 

If a user reports a bug in extension, providing the fix will have a turnaround time of a week although fix is minor which is damn frustrating! :( You cannot test patience of my users.

Talking specifically about "Broad host permissions"

Reading through many articles and forums, I got to know that if the content script is injected on any website without specifying host, it becomes a security concern for users. 

I agree to this and thanks to Chromium team for securing us from malicious extensions.

But my extension injects content script only on a specific set of pages where URL contains a specific query parameter.

I cannot disclose details of my product on public forum but let me cover this with an example. Let this query parameter be "my_company_parameter".

{
  "matches": [ "http://*/*my_company_parameter=*", "https://*/*my_company_parameter=*" ],
  "js": [ "content_client.js" ],
  "run_at": "document_start"
}

As you can see the extensions loads some tools on any page that is opened using query parameter "my_company_parameter" and does not bother other URLs.

Question is how does it become a security concern for users? Why the hell they will install the extension or use this query parameter if they don't wish to use my product.

The URL pattern is not as open as "https://*/*" but still I have to suffer from delayed review process. Does it mean that any generic utility extension which works on different pages regardless of host will suffer through this?

What if I don't specify these scripts in manifest but execute from Background script by intercepting document requests? Will it fasten the publish process?

[Zak FBA]

Did you fix this ? We're also having same issue. 

[Simeon Vincent]

Question is how does it become a security concern for users? Why the hell they will install the extension or use this query parameter if they don't wish to use my product.

"Host permissions" refers to the hosts it can match and your pattern currently begins with "http://*/", meaning any possible host served over HTTP. While your specific use case may be a truly unique query parameter, other parameters such as utm_source are extremely common. Allowing injection on arbitrary URLs that contain common query parameters would provide virtually no effective protection for end users.

I should also note that the current formation of your match pattern would also URLs that contain the path segment  "my_company_parameter=". While unusual for a path to contain an equals sign, it is perfectly valid.

The URL pattern is not as open as "https://*/*" but still I have to suffer from delayed review process. Does it mean that any generic utility extension which works on different pages regardless of host will suffer through this?

Yes. That is one of the disadvantages of enabling functionality on a broad set of hosts.

What if I don't specify these scripts in manifest but execute from Background script by intercepting document requests? Will it fasten the publish process?

No. I'm not sure what exactly you mean by "intercept document requests," but regardless, in order to inject a content scripts at runtime using chrome.tabs.executeScript() you must have host permissions for the page you want to inject the script into.

---

The "broad host permissions" warning also suggests considering activeTab. Unlike static host permissions, this permission "gives an extension temporary access to the currently active tab when the user invokes the extension - for example by clicking its browser action" (activeTab docs). You can combine activeTab with chrome.tabs.executeScript() in order to inject content scripts in response to a user's invocation of your extension.

Cheers,

Simeon - @dotproto

Extensions Developer Advocate