Review and remove unnecessary permissions

canjs / devtools

Chrome DevTools for CanJS.

https://chrome.google.com/webstore/detail/canjs-devtools/hhdfadlgplkpapjfehnjhcebebgmibcb

MIT License

5 stars 0 forks source link

Review and remove unnecessary permissions #94

Closed phillipskevin closed 4 years ago

phillipskevin commented 4 years ago

When publishing new versions of devtools, this error comes up:

Here is the full text:

Because of the following issue, your extension may require an in-depth review:
- Broad host permissions
Instead of requesting broad host permissions or content script site matches, consider specifying the sites that your extension needs access to, or use the activeTab permission. Both options are more secure than allowing full access to an indeterminate number of sites, and may help minimize review times.

The activeTab permission allows access to a tab in response to an explicit user gesture.

{
...
"permissions": ["activeTab"]
}
If your extension only needs to run on certain sites, simply specify those sites in the extension manifest:
{
...
"permissions": ["https://example.com/*"]
}

We should remove permissions we do not need.

phillipskevin commented 4 years ago

@cherifGsoul do you think you'd be able to review https://github.com/canjs/devtools/blob/87a185f29408bbf02b0bc944f304f85280cd7c46/manifest.json and do a little research on what permissions might be causing this problem?

cherifGsoul commented 4 years ago

@phillipskevin After research this is what I found:

From Chrome 70 permissions had changed to allow the user to have more control on extensions for security reasons.
I think the issue with can-devtools can be fixed by updating the permission key by "permissions": ["<all_urls>"] and update content_script by:
```
"content_scripts": [
{
    ...
    "matches": ["<all_urls>"] // instead of "matches": ["*://*/*"]
    ...
}
]
```

phillipskevin commented 4 years ago

@cherifGsoul can you put in a PR and I can test it out?

cherifGsoul commented 4 years ago

@phillipskevin I opened a PR https://github.com/canjs/devtools/pull/95

phillipskevin commented 4 years ago

This didn't seem to resolve the error:

Because of the following issue, your extension may require an in-depth review:
- Broad host permissions
Instead of requesting broad host permissions or content script site matches, consider specifying the sites that your extension needs access to, or use the activeTab permission. Both options are more secure than allowing full access to an indeterminate number of sites, and may help minimize review times.

The activeTab permission allows access to a tab in response to an explicit user gesture.

{
...
"permissions": ["activeTab"]
}
If your extension only needs to run on certain sites, simply specify those sites in the extension manifest:
{
...
"permissions": ["https://example.com/*"]
}

phillipskevin commented 4 years ago

You could try comparing our permissions to what react (https://github.com/facebook/react/blob/master/packages/react-devtools-extensions/chrome/manifest.json) or vue (https://github.com/vuejs/vue-devtools/blob/dev/packages/shell-chrome/manifest.json) use.

phillipskevin commented 4 years ago

I published the new version and still get the same warning when publishing. I'm going to leave this closed for now until we can determine a better way to handle the content_script that is causing this issue.