appsforartists / midicast

a web extension that streams songs from a web page to a MIDI instrument

Apache License 2.0

16 stars 3 forks source link

Closed appsforartists closed 7 years ago

appsforartists commented 7 years ago

manifest.json has some security settings disabled to make HMR work. We need a production-quality version.

What are the minimum necessary permissions? Can we defer asking for permission to fetch until after a user does something?

appsforartists commented 7 years ago

34 #35 and #36 are my notes from my chat with Devlin about making a production-quality manifest.

Other actions to take:

[x] remove 'unsafe-eval' and localhost from content_security_policy. I should check what the default CSP is - I might be able to remove this entry entirely in the production version.
[x] switch from page_action to browser_action to ensure the icon is always available.
[x] remove the declarativeContent permission and usage in index.ts until #36 is ready.

appsforartists commented 7 years ago

Looks like I can remove CSP entirely; the default is: