-
-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for Chrome's native site access UI #22
Comments
Anyway I think the solution would be to not assume that we still have all the static permissions. It's kinda complicated probably because I just refactored the module around that assumption. |
permissions: ['activeTab', 'contextMenus', 'scripting', 'sidePanel', 'storage'],
optional_permissions: [],
optional_host_permissions: ['*://*/*'], I have a list of allowed sites in my
It only appears when you click on the main toggle at the top. I think it would be useful if I'm compiling this spreadsheet to try to understand Chrome's behaviour better, and how https://docs.google.com/spreadsheets/d/175IfrjTVqzCMTqklR55FyDtugdU_it1FGZyR4epwf5s/edit?usp=sharing |
Note that any host specified in
Chrome does treat these permissions as "half-assed" so for me anything that is in
That one is grayed out
I still don't know how to repro that. I assume that option becomes available when you have the |
That's really good, thank you the research!
So yes it seems to confirm my last paragraph. |
You mean on install, or at another point? I don't recall seeing an "access all sites" message, but it's been a while since I paid attention while installing an extension from the Web Store.
Ugh, another variable to consider. I only just noticed that I don't have
Hrm, weird.
I see this option even without I had started to take a stab at writing code to detect this and handle it gracefully: aspiers/webext-permission-toggle@412c070 but I don't think I got it working yet.
Yeah exactly. |
I should probably explain what I am trying to achieve, because it may seem odd that I'm simultaneously experimenting with
Probably I'm aiming too high and need to simplify my design goals, but this is how I ended up down this particular rabbit hole. Any advice on the best way forward is welcome :) |
Both. See your second screenshot on this page, it says: "Permissions. Read and change all your data on all websites"
Yeah, Chrome doesn't force you to specify them, it already treats
You got this right but that permission must be exclusively in optional_host_permissions, not in matches. You can also use
They can already do that via chrome's UI.
Chrome already offers that.
Just follow the advice in the readme for webext-dynamic-content-scripts. Your use case is the same as mine. The only requirement is that you have at least one pre-defined site. Works:
Don't overcomplicate it 😃 |
That's only fine if the permission is granted via request(). If it's not optional, we have no API to remove it, so this toggle is completely useless/inert. If it sees all_urls in the manifest, this module should throw an error. |
Makes sense. BTW, I did a bunch more experimenting and it looks like this is going to be horrible to support. I've seen so much confusing behaviour from Chrome which I can't really explain. For example, behaviour following on from when you select "When you click the extension" from the submenu:
|
Welcome to Web Extensions development 😂 it's basically a continuous research.
I think you're talking about In short, if the user clicks the action, the extension receives temporary access until the origin is changed. This permission is not part of Off topic, but I also have logic to optionally support this use case: https://github.com/fregante/webext-dynamic-content-scripts#activetab-tracking
That's concerning. Either way it's something to discuss in: The code is: https://github.com/fregante/webext-tools/blob/386d385d8a0449bf32a466197f9a658a37a40991/index.ts#L18-L35
I call them overlapping permissions: In short if you have
That's not an issue because of what I just said |
😱
Thanks for the hint, I hadn't properly looked into
If by this you mean the extension action icon, this was not quite the scenario I was describing. Here I'm specifically talking about the scenario where the first interaction they have with the extension on a site in the manifest is to right-click the action icon, and then click the context menu item. However, I note that https://developer.chrome.com/docs/extensions/develop/concepts/activeTab says:
At first sight, this could explain why clicking on the toggle menu item would be enough to activate the extension, even before the user clicks "Allow" on the native permissions popup. However, my extension is using the normal import rather than The natural follow-on question is whether in our extensions' use cases it makes sense to include
But this is happening even when the extension is set to "On all sites"; it's not specific to when site access is restricted via native UI. Maybe I need to file a separate issue for that.
Yeah I already took a quick look at that. From memory the URL just wasn't there but I'll double-check.
My point was that it looks like it's gone forever, but as I said:
so it seems that the narrower permission isn't truly gone forever, it's just hidden and can reappear in
Ahah! I had stumbled across this problem myself but didn't realise you already had an issue for it.
Yeah, But anyway, I've totally exhausted my energy for worrying about Chrome's native UI right now, and totally agree with you that it makes sense to park this and focus on getting the other stuff fully working first. As I said, the |
I think you can't access the URL unless you have permission to that tab, either via
Do you still have
Heh yeah, good idea. I'd start by matching the suggested manifest without further permissions in |
But if it's covered by specific host permissions, which as you said is the main point of
No.
I just had a big realisation in #23 (comment) which has solved a bunch of problems in one go. I think pretty much everything is working great now except perhaps for the native site access UI "on click", and I don't have the energy to revisit that right now - need to get back to actually hacking on my extension!! |
For the toggle. If we don't know what site we're on, how can we ask the permission to it? If you avoid the toggle and just let the user input the host, you don't need |
Ah, I see! But anyway, I think I can confirm that the behaviour I saw before of the content script being injected even before clicking "Allow" in the popup was indeed due to
This behaviour is surprising and very counter-intuitive, but it does match what is documented at https://developer.chrome.com/docs/extensions/develop/concepts/activeTab, if you interpret the bullet point "Executing a context menu item" to mean "Clicking on a context menu item" rather than "Clicking on a context menu item and waiting for its event handler to complete". |
I checked, there's nothing to do here. "Support" is actually pretty straightforward:
Since this package at the moment exclusively deals with "additional" permissions, the output of the current methods is unchanged. Just because the user removes a permission, that doesn't change the list of additional permissions. The only method that is "affected" is The only suggestion is to use |
@fregante I'm really confused because I've just found that after removing BTW, my extension is finally public and Open Source, in case you're curious: https://github.com/aspiers/rolod0x/ |
Do you have the Just open the webext-permission-toggle demo extension from its repo and try there without the activeTab permission. I don’t want to debug your usage like last time. Without tab or host permissions, the extension should not be able to know the URL of the current tab, so how can it ask the browser to grant permission to it? |
Anyway, this issue is done, |
As mentioned in fregante/webext-permission-toggle#29 (comment), this module needs support for Chrome's native UI for controlling site access, which looks like this when accessed from an extension's context menu:
and also this bit of the extension's details page:
The text was updated successfully, but these errors were encountered: