extension: get rid of activeTab/tabs permissions, they aren't needed …

…when we have host permissions

also add more context/comments about permissions we use and why we need them

related: #97

doc/PRIVACY.org

@@ -35,28 +35,23 @@ For the maximum privacy you can use the [[file:GUIDE.org#excludelist][excludelis
 
 
 * Extension permissions
-- =activeTab=: getting current tab info and adding the sidebar
-- =webNavigation=: receiving page status updates so extension knows when to load data
+- =file/http/https=: the extension is meant to work on any page, hence such a broad scope
+  this is necessary for webNavigation callbacks to work properly and update icon/sidebar
+
 - =storage=: for settings
-- =contextMenus=: context menu
-- =notifications=: showing notifications
-# NOTE: not used for now
-# - =webNavigation=: watching page state changes (to trigger the extension on page load)
+- =webNavigation=: receiving page status updates so extension kicks in on page loading
+- =contextMenus=: context menu actions
 
 There permissions are required at the moment, but there is an [[https://github.com/karlicoss/promnesia/issues/97][issue]] for work on possibly making them optional.
 
-- =tabs=: making the extension work without an explicit user action (the extension is meant to be a passive assistant)
+- =notifications=: showing notifications
 
-  The extension is still useful even with explicit action only, so worth making opt-in.
 - =history=: to use local browsing history
 
   Local history isn't strictly required, so we could omit this if people prefer.
 - =bookmarks=: used as one of the sources
 
   It can already be toggled in the settings, so the permission could be dynamic too
-- =file/http/https=: the extension is meant to work on any page, hence such a broad scope.
-
-  Might be optional in the future, and requested on demand if people feel it's worth it
 
 * Security
 While I have some reasonable understanding of security, I'm no expert, so would be very grateful if you flag potential issues or [[https://github.com/karlicoss/promnesia/issues/14][go through the code]] (especially extension).

extension/src/background.js

@@ -158,6 +158,10 @@ async function updateState(tab: TabUrl): Promise<void> {
             // this seems to happen if we started injecting the code, but URL changed during that
             // e.g. if you click on links in quick succession or press backward/forward quickly (esp. with hotkeys)
             // should be covered by test_sidebar_navigation
+
+            // NOTE: actually a bit misleading -- on firefox we are always getting this when we don't have host permissions
+            // whereas in chrome we're getting
+            // "Cannot access contents of the page. Extension manifest must request permission to access the respective host"
             proceed = false
         } else {
             throw error

extension/src/manifest.json

@@ -1,7 +1,4 @@
 {
-    "name": "<webpack managed>",
-    "version": "<webpack managed>",
-    "description": "Indicates whether and when the page was visited (and more!)",
     "background": {
         "scripts": [
             "browser-polyfill.js",
@@ -13,23 +10,5 @@
     "options_ui": {
         "page": "options_page.html"
     },
-
-    "permissions": [
-        "file:///*",
-        "https://*/*",
-        "http://*/*",
-
-        "bookmarks",
-        "storage",
-
-        "tabs",
-        "activeTab",
-        "webNavigation",
-
-        "notifications"
-    ],
-    "icons": {
-        "48": "images/ic_not_visited_48.png"
-    },
     "manifest_version": 2
 }

extension/webpack.config.js

@@ -73,22 +73,48 @@ const action = {
 };
 
 
-const permissionsExtra = [];
+const hostPermissions = [
+  // these are necessary for webNavigation to work
+  // otherwise we get "Cannot access contents of the page. Extension manifest must request permission to access the respective host."
+  "file:///*",
+  "https://*/*",
+  "http://*/*",
 
+  /* also note that if we have host permissions, we don't need tabs/activeTab permission to inject css/code
+   * this is necessary to call insertCss and executeScript
+   * note that just activeTab isn't enough because things aren't necessarily happening after user interaction like action
+   * e.g. sidebar/icon state is updating after webNavigation callback
+   * */
+]
 
-// NOTE: these aren't available on mobile
-permissionsExtra.push(
-    'contextMenus',
-    'history',
-);
+const permissions = [
+  ...hostPermissions,
+
+  'storage',
+
+  'webNavigation',
+  'contextMenus',
+
+  // todo could be optional?
+  'notifications',
+
+  // todo could be optional?
+  'bookmarks',   // NOTE: isn't available on mobile
+
+  // todo could be optional?
+  'history',  // NOTE: isn't available on mobile
+]
 
 
 const manifestExtra = {
     name: name,
     version: pkg.version,
-    // TODO description??
+    description: "Indicates whether and when the page was visited (and more!)",
+    icons: {
+        "48": "images/ic_not_visited_48.png",
+    },
     browser_action: action,
-    permissions: permissionsExtra,
+    permissions: permissions,
     options_ui: {},
     web_accessible_resources: [
         "sidebar.css", /* injected in the sidebar */