Improve permission warning for chrome.webNavigation - google-chrome

When using chrome.webNavigation the webNavigation permission is needed. As stated on Permission Warnings, using that permission makes the installer to show the warning message:
Read your browsing history
In my case, I only want to listen to one specific domain, let's say domain.com. So, I need to filter the callback for chrome.webNavigation.onCompleted.addListener().
Now, from the user perspective, they could distrust the chrome extension since "Read your browsing history" is too broad and the extension should only work on domain.com.
When a match pattern is used in the permissions, a message like Read and change your data on all domain.com sites and www.domain.com is used.
Is there any other way to use chrome.webNavigation and only listen to one domain? where chrome extension issues/feature requests should be sent?
Update: I had to use webNavigation in order to support AJAX calls. That is, listen to changes in the DOM and the URL made with AJAX. I solved this particular case by using a MutationObserver. Thus, I could remove the permission. The original question was already reported as a bug by Rob W.

In this case, I've already posted a feature request over a year ago: https://crbug.com/431108 ("Allow extensions to use webNavigation API without webNavigation permission").
where chrome extension issues/feature requests should be sent?
Report feature requests and bugs at https://crbug.com/new (points to https://bugs.chromium.org).
If you want to get the equivalent effect of chrome.webNavigation.onCompleted without using the webNavigation API or adding extra permissions, then you can declare a content script and send a message to the background page when the window.onload event fires.

Related

chrome.webRequest.onBeforeRequest.addListener background Ajax request?

I want to change the fixed geolocation country of Google search. The only way without using a VPN I have found is adding gl=[country_code] to the URL. I created an extension for my use and added that part to the Google search URLs, and it worked. But I recently found that the auto completion (Suggestion) is not changed to the web page's country. That is, even though at the left bottom of Google's home page says "United States", the auto completion is still set to my geo-location, and giving a different list.
After some testing, I have found that Google calls https://www.google.com/complete/search... in the background, and if I append gl=[country_code] to the URL, I can change the country of auto completion. But adding https://www.google.com/complete/search?* like below did not work (modifyUrl was not called).
chrome.webRequest.onBeforeRequest.addListener
(
modifyUrl,
{urls: [
'https://www.google.com/search?*',
'https://www.google.com/webhp?*',
'https://www.google.com/complete/search?*' ],
types: ['main_frame']},
['blocking']
);
Is there any way I can modify the auto completion URL? If there is a better way to change the country without using a VPN, I can use that, too.
Auto-complete searches in google.com site
These are performed via standard JavaScript XHR/fetch (use devtools to inspect the request's details) so you need to specify the type as xmlhttprequest when registering a webRequest listener, not main_frame.
Auto-complete searches in the address bar
These aren't reported to extensions since Chrome 71.
Quoting the reasons behind this decision from crbug.com/884932:
browser initiated requests which may be sensitive in nature or affect browser functionality
https://update.googleapis.com/service/update2 (component updater)
https://www.googleapis.com/chromewebstore/v1.1/items/verify (install signer, used for extension install verification)
https://clients2.googleusercontent.com/crx/blobs.... (downloading crx packages after sync)
https://lh3.googleusercontent.com/.... (Extension icon on the install dialog triggered from webstore)
https://www.google.com/complete/search?client=chrome-omni.. (related to omnibox)
https://www.google.com/async/ddljson?async=ntp:1 (related to ntp doodle)
https://www.google.com/chromesuggestions?t=1
https://cuscochromeextension-pa.googleapis.com/v1/omniboxsuggestions
https://googleapis.com/oauth2... (calls to gaia urls)
For example, one can easily prevent extension install verification or downloading synced extensions by blocking some of these requests. This may have other security implications as well.
We have implemented custom one-off solutions in the past to prevent things like this (e.g. we prevent extensions from intercepting browser initiated requests to some web store urls, safe browsing urls, one google bar requests made on behalf of the NTP etc.).
It seems to me that a more completion solution would be to prevent extensions from intercepting any non-navigation browser initiated requests.
The documentation was also updated:
[...] certain requests [...] are hidden [...] https://www.google.com/chrome, and other sensitive requests core to browser functionality.
Auto-complete searches in the default new/empty tab
The input box in the middle is a "fakebox" that merely focuses the address bar so it's the same as address bar search mentioned in the previous section. The search box be implemented as a real input (see crbug.com/243926) but it'll be still a part of the core browser UI, hence not exposed to extensions' webRequest.

Get Tab based history of urls in Chrome Extension APi

I want to get the history based on tabs not the global history.
I have tried the chrome.history but it is a global history API and it is not giving the tab specific history
Following the thread I checked chrome.webNavigation API but it was just giving the frames of that particular page not the history.
So what is the better way for achieving this?
The history API you're referring is the browser history API.
However, you're looking for the browser session history API (session meaning per-tab).
Since this is a DOM-based API, you can only access this via content scripts. This cannot be used directly from service workers or background scripts, but of course you can use messaging if needed to indirectly access this.

Chrome extension losing requested permissions after browser restart

I developed a chrome extension which communicates with IP phones.
The communication is done in a event page which is sending POST requests via the XMLHttpRequest object.
Because the hostname or IP address of the phone is configured in the options page I added optional_permissions to the manifest file and request them from the user after saving the options with chrome.permissions.request.
Cross-Origin XHR works now without any problems until I restart chrome...
After restarting chrome it seems like the requested permission is lost and I get the typical
is not allowed by Access-Control-Allow-Origin error.
When I click on the extensions permissions I can also see that my requested permission is no longer listed.
Because the chrome.permissions.request is only working for a user gesture I can't request it during the load of my extension or on the fly. If I request the permission again in my options page I don't get asked again whether I want to allow it or not put the permission is granted and everything works again as usual.
Is there a way to get this permission granted persistent after requesting it? I only want the extension to have access to the endpoints it needs.
Thank you very much.
For me the following reported issue answered my question:
Issue 158004: chrome.permissions.request support for user-supplied URL.
To make it clear: It is not possible to request a subset of the permissions defined in optional_permissions. If you define http://*/* then you need to request exactly this string! A subset like http://example.org/* wont work!
Here is a quote from a comment in the issue description which makes that clear:
"There's no wildcard handling, just plain string comparison between the URLPatterns"
The Issue has been fixed in Revision 182287
The only thing left is to cross your fingers that this fix gets included in a upcomming chrome release soon. We'll have to use the bloody Access your data on all websites permission in the meanwhile.

Storing GetUserMedia permissions across future page requests

Once a user has allowed for a getUserMedia request to access their camera/microphone, is it possible to programmatically "remember" that permission across future page loads?
Not sure this answers your question, but for Chrome at least, if you use HTTPS, permission is only requested once. (Looks like this isn't implemented in Firefox.)
For Chrome apps you can add audioCapture and videoCapture permissions, which mean the user is only asked for permission on installation.

How can I pass messages between two instances of *the same* Google Chrome extension?

While Google Chrome's messaging API allows communication between two different extensions using their 'Extension ID', I'm yet to see the issue of communication between two instances of the same extension be addressed. Is this possible using the current Google Chrome API? Is there an 'Instance ID' to uniquely identify each instance of my extension?
If not, I think I will try using my own server be the -middle man- and let all the instances of my extension talk to each other using my -middle man-. In that case, does the Chrome API expose the Instance ID for extensions? If not, any advice on coming up with my own Instance ID scheme?
you can certainly do that, I have done the same thing for my Reload All Tabs extension.
https://chrome.google.com/extensions/detail/bfenodnbilondijnaionekngdhadmegk
Basically, you would need an "extension ID" what I did, I basically uploaded the main extension to the gallery, which gave me the unique ID.
With that ID, you can send requests to that extension via:
http://code.google.com/chrome/extensions/extension.html#method-sendRequest
And listen through external extension requests through:
http://code.google.com/chrome/extensions/extension.html#event-onRequestExternal
You can take a look at the source code for Reload All Tabs, to see how it is done:
https://github.com/mohamedmansour/reload-all-tabs-extension