Review permissions: Use optional permissions when possible, specially for accessing feeds

[dellagustin]

https://developer.chrome.com/extensions/permissions#manifest

This was moved manually from bitbucket: https://bitbucket.org/dellagustin/podstation_chrome_ext/issues/112/feeds-use-optional-permissions-to-access

most critical permissions:

"tabs"
"http://*/",
"https://*/"

also:

"content_scripts": [
		{
			"matches": ["http://*/*", "https://*/*"],
			"js": [
				"lib/jquery.min.js",
				"feedFinder.js"
			]
		}
	],

about priority

This is a high priority issue.

I have been delaying it for some time, mainly because with the source being open and being the developer myself, I know that the extension is not harmful, but this should be better reflected in how we technically handle priorities.

The main reason for prioritizing this issue is that on my last update I got a notice that the release would be pending review due to the excessive use of permissions.

Permissions

Tabs

Tabs is necessary so that we can bring a podstation tab into focus, if it is already open: https://github.com/podStation/podStation/blob/master/extension/background/podstation_bg.js

I have created #54 to follow up on the tabs permission.

Generic url access permission

The generic website access permissions ("http:///", "https:///") are necessary in order to fetch the feeds.

This topic will be handled specifically with #62

Content Script

See #61

References

• Getting permission: Patterns for making fluent permission requests (Chrome Dev Summit 2019)
• Browser Extensions support #53

[dellagustin]

The content of this comment was moved to #54

Regarding Tabs

https://developer.chrome.com/extensions/tabs

The majority of the chrome.tabs API can be used without declaring any permission. However, the "tabs" permission is required in order to populate the url, pendingUrl, title, and favIconUrl properties of Tab.

But we need to query for open tabs of podStation.
The documentation of the query function states the following regarding the url property of the queryInfo parameter:

Match tabs against one or more URL patterns. Fragment identifiers are not matched. This property is ignored if the extension does not have the "tabs" permission.

I tested removing the "tabs" permission and changing the url of the queryInfo object into chrome-extension://${chrome.runtime.id}/podstation.html with the ropes the rule would not apply in for tabs belonging to the extension, no luck.

• I can try to ask the permission dynamically and see what happens.
• I should also raise a feature request to chromium so that I can query for my own tabs.
• I should also check the specifications for Browser Extensions - and raise this use case

References

• https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Working_with_the_Tabs_API

[dellagustin]

all the main points are now addressed by specific issues, I am closing this one.