Chrome Extension: webNavigation while limiting permissions scope









up vote
1
down vote

favorite












I have a Chrome extension that watches for an extra query parameter in a url on certain sites. I'm adding functionality to a new site and the issue I'm running into is that the site redirects to a different url and strips out my custom query before my content script can load.



It looks like I can get around this by using the webNavigation API in my background script and adding a listener for chrome.webNavigation.onCommitted. The problem is that by adding webNavigation permissions into my manifest, I'm now asking for permission to "Read your browsing history." I've put a lot of time into trying to limit the scope of my extension permissions to certain sites and I really don't want to ask the user for carte blanche permission like this.



I've found two other threads on SO about this issue, but in one, the user found a workaround that I don't think will work in my case (although if someone has a suggested workaround, I'm all ears), and the other suggests that by adding a filter to the listener declaration, it will limit the permissions request. That answer was not accepted as correct and, indeed, I'm not seeing any permissions difference whether or not I have a filter.



Is it simply not possible to achieve what I'd like to do and also limit the scope of the permissions warning? Or am I missing something? Thanks.



My webNavigation listener declaration:



chrome.webNavigation.onCommitted.addListener(function(e) 
//Can dig out my query parameter from e
console.log(e);
,
url: [hostContains: "[NAME OF HOST]"]
);









share|improve this question























  • Use optional permissions.
    – wOxxOm
    Nov 12 at 4:38






  • 1




    Thanks. I don't think this necessarily solves the problem. It just kicks the can down the road for when you're asking for key-to-the-castle permissions. Figured out a workaround, see below, that happened to work in my situation but it won't be universally applicable.
    – typingm
    Nov 12 at 6:51










  • I didn't have the webRequest permission before, but in adding it, Chrome requested no additional permissions. Before and after adding webRequest, the permission Chrome asked for was to "Read and change your data on a number of websites." And then it listed several websites, which I had laid out in a content-script>matches array in my manifest.json. I need to run a contentscript on those sites, so that permissions scope makes sense.
    – typingm
    Nov 12 at 8:16










  • I figured out the webRequest workaround before I saw your solution, so I haven't played with optional permissions, but looking at the documentation, it seems like optional permissions are still asking for too much, even if you limit their scope. Documentation says that requesting optional permissions of permissions: ['tabs'], origins: ['http://www.google.com/'] will ask the user to "Access your data on www.google.com" and "Access your tabs and browsing activity." Even if you're limiting the scope, it still seems to be asking for everything.
    – typingm
    Nov 12 at 8:21











  • Sorry for the confusion. I didn't know webRequest doesn't add its own permission notice. Could you add this bit of info to your answer? I think it's crucial. I mean rephrase it so that it's more clear.
    – wOxxOm
    Nov 12 at 8:22















up vote
1
down vote

favorite












I have a Chrome extension that watches for an extra query parameter in a url on certain sites. I'm adding functionality to a new site and the issue I'm running into is that the site redirects to a different url and strips out my custom query before my content script can load.



It looks like I can get around this by using the webNavigation API in my background script and adding a listener for chrome.webNavigation.onCommitted. The problem is that by adding webNavigation permissions into my manifest, I'm now asking for permission to "Read your browsing history." I've put a lot of time into trying to limit the scope of my extension permissions to certain sites and I really don't want to ask the user for carte blanche permission like this.



I've found two other threads on SO about this issue, but in one, the user found a workaround that I don't think will work in my case (although if someone has a suggested workaround, I'm all ears), and the other suggests that by adding a filter to the listener declaration, it will limit the permissions request. That answer was not accepted as correct and, indeed, I'm not seeing any permissions difference whether or not I have a filter.



Is it simply not possible to achieve what I'd like to do and also limit the scope of the permissions warning? Or am I missing something? Thanks.



My webNavigation listener declaration:



chrome.webNavigation.onCommitted.addListener(function(e) 
//Can dig out my query parameter from e
console.log(e);
,
url: [hostContains: "[NAME OF HOST]"]
);









share|improve this question























  • Use optional permissions.
    – wOxxOm
    Nov 12 at 4:38






  • 1




    Thanks. I don't think this necessarily solves the problem. It just kicks the can down the road for when you're asking for key-to-the-castle permissions. Figured out a workaround, see below, that happened to work in my situation but it won't be universally applicable.
    – typingm
    Nov 12 at 6:51










  • I didn't have the webRequest permission before, but in adding it, Chrome requested no additional permissions. Before and after adding webRequest, the permission Chrome asked for was to "Read and change your data on a number of websites." And then it listed several websites, which I had laid out in a content-script>matches array in my manifest.json. I need to run a contentscript on those sites, so that permissions scope makes sense.
    – typingm
    Nov 12 at 8:16










  • I figured out the webRequest workaround before I saw your solution, so I haven't played with optional permissions, but looking at the documentation, it seems like optional permissions are still asking for too much, even if you limit their scope. Documentation says that requesting optional permissions of permissions: ['tabs'], origins: ['http://www.google.com/'] will ask the user to "Access your data on www.google.com" and "Access your tabs and browsing activity." Even if you're limiting the scope, it still seems to be asking for everything.
    – typingm
    Nov 12 at 8:21











  • Sorry for the confusion. I didn't know webRequest doesn't add its own permission notice. Could you add this bit of info to your answer? I think it's crucial. I mean rephrase it so that it's more clear.
    – wOxxOm
    Nov 12 at 8:22













up vote
1
down vote

favorite









up vote
1
down vote

favorite











I have a Chrome extension that watches for an extra query parameter in a url on certain sites. I'm adding functionality to a new site and the issue I'm running into is that the site redirects to a different url and strips out my custom query before my content script can load.



It looks like I can get around this by using the webNavigation API in my background script and adding a listener for chrome.webNavigation.onCommitted. The problem is that by adding webNavigation permissions into my manifest, I'm now asking for permission to "Read your browsing history." I've put a lot of time into trying to limit the scope of my extension permissions to certain sites and I really don't want to ask the user for carte blanche permission like this.



I've found two other threads on SO about this issue, but in one, the user found a workaround that I don't think will work in my case (although if someone has a suggested workaround, I'm all ears), and the other suggests that by adding a filter to the listener declaration, it will limit the permissions request. That answer was not accepted as correct and, indeed, I'm not seeing any permissions difference whether or not I have a filter.



Is it simply not possible to achieve what I'd like to do and also limit the scope of the permissions warning? Or am I missing something? Thanks.



My webNavigation listener declaration:



chrome.webNavigation.onCommitted.addListener(function(e) 
//Can dig out my query parameter from e
console.log(e);
,
url: [hostContains: "[NAME OF HOST]"]
);









share|improve this question















I have a Chrome extension that watches for an extra query parameter in a url on certain sites. I'm adding functionality to a new site and the issue I'm running into is that the site redirects to a different url and strips out my custom query before my content script can load.



It looks like I can get around this by using the webNavigation API in my background script and adding a listener for chrome.webNavigation.onCommitted. The problem is that by adding webNavigation permissions into my manifest, I'm now asking for permission to "Read your browsing history." I've put a lot of time into trying to limit the scope of my extension permissions to certain sites and I really don't want to ask the user for carte blanche permission like this.



I've found two other threads on SO about this issue, but in one, the user found a workaround that I don't think will work in my case (although if someone has a suggested workaround, I'm all ears), and the other suggests that by adding a filter to the listener declaration, it will limit the permissions request. That answer was not accepted as correct and, indeed, I'm not seeing any permissions difference whether or not I have a filter.



Is it simply not possible to achieve what I'd like to do and also limit the scope of the permissions warning? Or am I missing something? Thanks.



My webNavigation listener declaration:



chrome.webNavigation.onCommitted.addListener(function(e) 
//Can dig out my query parameter from e
console.log(e);
,
url: [hostContains: "[NAME OF HOST]"]
);






javascript google-chrome google-chrome-extension






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 11 at 20:08

























asked Nov 11 at 20:01









typingm

535




535











  • Use optional permissions.
    – wOxxOm
    Nov 12 at 4:38






  • 1




    Thanks. I don't think this necessarily solves the problem. It just kicks the can down the road for when you're asking for key-to-the-castle permissions. Figured out a workaround, see below, that happened to work in my situation but it won't be universally applicable.
    – typingm
    Nov 12 at 6:51










  • I didn't have the webRequest permission before, but in adding it, Chrome requested no additional permissions. Before and after adding webRequest, the permission Chrome asked for was to "Read and change your data on a number of websites." And then it listed several websites, which I had laid out in a content-script>matches array in my manifest.json. I need to run a contentscript on those sites, so that permissions scope makes sense.
    – typingm
    Nov 12 at 8:16










  • I figured out the webRequest workaround before I saw your solution, so I haven't played with optional permissions, but looking at the documentation, it seems like optional permissions are still asking for too much, even if you limit their scope. Documentation says that requesting optional permissions of permissions: ['tabs'], origins: ['http://www.google.com/'] will ask the user to "Access your data on www.google.com" and "Access your tabs and browsing activity." Even if you're limiting the scope, it still seems to be asking for everything.
    – typingm
    Nov 12 at 8:21











  • Sorry for the confusion. I didn't know webRequest doesn't add its own permission notice. Could you add this bit of info to your answer? I think it's crucial. I mean rephrase it so that it's more clear.
    – wOxxOm
    Nov 12 at 8:22

















  • Use optional permissions.
    – wOxxOm
    Nov 12 at 4:38






  • 1




    Thanks. I don't think this necessarily solves the problem. It just kicks the can down the road for when you're asking for key-to-the-castle permissions. Figured out a workaround, see below, that happened to work in my situation but it won't be universally applicable.
    – typingm
    Nov 12 at 6:51










  • I didn't have the webRequest permission before, but in adding it, Chrome requested no additional permissions. Before and after adding webRequest, the permission Chrome asked for was to "Read and change your data on a number of websites." And then it listed several websites, which I had laid out in a content-script>matches array in my manifest.json. I need to run a contentscript on those sites, so that permissions scope makes sense.
    – typingm
    Nov 12 at 8:16










  • I figured out the webRequest workaround before I saw your solution, so I haven't played with optional permissions, but looking at the documentation, it seems like optional permissions are still asking for too much, even if you limit their scope. Documentation says that requesting optional permissions of permissions: ['tabs'], origins: ['http://www.google.com/'] will ask the user to "Access your data on www.google.com" and "Access your tabs and browsing activity." Even if you're limiting the scope, it still seems to be asking for everything.
    – typingm
    Nov 12 at 8:21











  • Sorry for the confusion. I didn't know webRequest doesn't add its own permission notice. Could you add this bit of info to your answer? I think it's crucial. I mean rephrase it so that it's more clear.
    – wOxxOm
    Nov 12 at 8:22
















Use optional permissions.
– wOxxOm
Nov 12 at 4:38




Use optional permissions.
– wOxxOm
Nov 12 at 4:38




1




1




Thanks. I don't think this necessarily solves the problem. It just kicks the can down the road for when you're asking for key-to-the-castle permissions. Figured out a workaround, see below, that happened to work in my situation but it won't be universally applicable.
– typingm
Nov 12 at 6:51




Thanks. I don't think this necessarily solves the problem. It just kicks the can down the road for when you're asking for key-to-the-castle permissions. Figured out a workaround, see below, that happened to work in my situation but it won't be universally applicable.
– typingm
Nov 12 at 6:51












I didn't have the webRequest permission before, but in adding it, Chrome requested no additional permissions. Before and after adding webRequest, the permission Chrome asked for was to "Read and change your data on a number of websites." And then it listed several websites, which I had laid out in a content-script>matches array in my manifest.json. I need to run a contentscript on those sites, so that permissions scope makes sense.
– typingm
Nov 12 at 8:16




I didn't have the webRequest permission before, but in adding it, Chrome requested no additional permissions. Before and after adding webRequest, the permission Chrome asked for was to "Read and change your data on a number of websites." And then it listed several websites, which I had laid out in a content-script>matches array in my manifest.json. I need to run a contentscript on those sites, so that permissions scope makes sense.
– typingm
Nov 12 at 8:16












I figured out the webRequest workaround before I saw your solution, so I haven't played with optional permissions, but looking at the documentation, it seems like optional permissions are still asking for too much, even if you limit their scope. Documentation says that requesting optional permissions of permissions: ['tabs'], origins: ['http://www.google.com/'] will ask the user to "Access your data on www.google.com" and "Access your tabs and browsing activity." Even if you're limiting the scope, it still seems to be asking for everything.
– typingm
Nov 12 at 8:21





I figured out the webRequest workaround before I saw your solution, so I haven't played with optional permissions, but looking at the documentation, it seems like optional permissions are still asking for too much, even if you limit their scope. Documentation says that requesting optional permissions of permissions: ['tabs'], origins: ['http://www.google.com/'] will ask the user to "Access your data on www.google.com" and "Access your tabs and browsing activity." Even if you're limiting the scope, it still seems to be asking for everything.
– typingm
Nov 12 at 8:21













Sorry for the confusion. I didn't know webRequest doesn't add its own permission notice. Could you add this bit of info to your answer? I think it's crucial. I mean rephrase it so that it's more clear.
– wOxxOm
Nov 12 at 8:22





Sorry for the confusion. I didn't know webRequest doesn't add its own permission notice. Could you add this bit of info to your answer? I think it's crucial. I mean rephrase it so that it's more clear.
– wOxxOm
Nov 12 at 8:22













1 Answer
1






active

oldest

votes

















up vote
2
down vote



accepted










I was able to figure out a workaround for my situation. I don't think this will work for everyone, but using the webRequest API allowed me to intercept the page load request before the redirect and store my query string for later. The webRequest API also didn't ask for any permissions beyond what I was already asking for via a content-script>matches array in my manifest.json file, which causes Chrome to ask for permission to "Read and change your data on a number of websites" and then lists those websites.



chrome.webRequest.onBeforeRequest.addListener(
function(details)

//details.url contains my query string
var url = details.url;
return;
,
urls: ['*://*.mysite.com/*'],
types: ['main_frame'] //Filters out all the js,css,ajax,etc requests

);





share|improve this answer






















    Your Answer






    StackExchange.ifUsing("editor", function ()
    StackExchange.using("externalEditor", function ()
    StackExchange.using("snippets", function ()
    StackExchange.snippets.init();
    );
    );
    , "code-snippets");

    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "1"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53252685%2fchrome-extension-webnavigation-while-limiting-permissions-scope%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    2
    down vote



    accepted










    I was able to figure out a workaround for my situation. I don't think this will work for everyone, but using the webRequest API allowed me to intercept the page load request before the redirect and store my query string for later. The webRequest API also didn't ask for any permissions beyond what I was already asking for via a content-script>matches array in my manifest.json file, which causes Chrome to ask for permission to "Read and change your data on a number of websites" and then lists those websites.



    chrome.webRequest.onBeforeRequest.addListener(
    function(details)

    //details.url contains my query string
    var url = details.url;
    return;
    ,
    urls: ['*://*.mysite.com/*'],
    types: ['main_frame'] //Filters out all the js,css,ajax,etc requests

    );





    share|improve this answer


























      up vote
      2
      down vote



      accepted










      I was able to figure out a workaround for my situation. I don't think this will work for everyone, but using the webRequest API allowed me to intercept the page load request before the redirect and store my query string for later. The webRequest API also didn't ask for any permissions beyond what I was already asking for via a content-script>matches array in my manifest.json file, which causes Chrome to ask for permission to "Read and change your data on a number of websites" and then lists those websites.



      chrome.webRequest.onBeforeRequest.addListener(
      function(details)

      //details.url contains my query string
      var url = details.url;
      return;
      ,
      urls: ['*://*.mysite.com/*'],
      types: ['main_frame'] //Filters out all the js,css,ajax,etc requests

      );





      share|improve this answer
























        up vote
        2
        down vote



        accepted







        up vote
        2
        down vote



        accepted






        I was able to figure out a workaround for my situation. I don't think this will work for everyone, but using the webRequest API allowed me to intercept the page load request before the redirect and store my query string for later. The webRequest API also didn't ask for any permissions beyond what I was already asking for via a content-script>matches array in my manifest.json file, which causes Chrome to ask for permission to "Read and change your data on a number of websites" and then lists those websites.



        chrome.webRequest.onBeforeRequest.addListener(
        function(details)

        //details.url contains my query string
        var url = details.url;
        return;
        ,
        urls: ['*://*.mysite.com/*'],
        types: ['main_frame'] //Filters out all the js,css,ajax,etc requests

        );





        share|improve this answer














        I was able to figure out a workaround for my situation. I don't think this will work for everyone, but using the webRequest API allowed me to intercept the page load request before the redirect and store my query string for later. The webRequest API also didn't ask for any permissions beyond what I was already asking for via a content-script>matches array in my manifest.json file, which causes Chrome to ask for permission to "Read and change your data on a number of websites" and then lists those websites.



        chrome.webRequest.onBeforeRequest.addListener(
        function(details)

        //details.url contains my query string
        var url = details.url;
        return;
        ,
        urls: ['*://*.mysite.com/*'],
        types: ['main_frame'] //Filters out all the js,css,ajax,etc requests

        );






        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Nov 12 at 19:56

























        answered Nov 12 at 6:53









        typingm

        535




        535



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53252685%2fchrome-extension-webnavigation-while-limiting-permissions-scope%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            這個網誌中的熱門文章

            How to read a connectionString WITH PROVIDER in .NET Core?

            Node.js Script on GitHub Pages or Amazon S3

            Museum of Modern and Contemporary Art of Trento and Rovereto