[Bug] Why does this Chrome extension need <all_urls> permissions?

[mingcheng]

The screenshots below show the errors I encountered while developing and debugging a Next.js app.

It shows your extension will modify all the website page's HTML tags and add hypercrx className attributes. Subsequently, I checked the source code, and I got the answer: the host_permissions of its manifest were configured as "<all_urls>".

Could you please explain why you set up this value like that and if there is a right way to fix or improve this sensitive configuration?

[wangyantong2000]

Previously, in order to expand new features such as FastPR, it may have been displayed on many document websites. And the convenient extension of document websites. Therefore, all_urls was set.

[antfin-oss]

Previously, in order to expand new features such as FastPR, it may have been displayed on many document websites. And the convenient extension of document websites. Therefore, all_urls was set.

I propose adding a whitelit feature instead of changing the website that is in the configured list.

[xiaoya-yaya]

Maybe we should add a permission request from users for all_urls when users enable the fastPR feature, otherwise, such high permission could be disabled by default to avoid causing concerns and risks.

[wangyantong2000]

Thank you for your suggestions. These plans will be considered later.

[mingcheng]

LGTM

[Xsy41]

My initial idea is to disable FastPR by default in options.html, requiring users to enable it manually. When the user clicks to enable FastPR, a whitelist management interface will expand, allowing them to add new domains and providing an option to remove existing domains.

[Xsy41]

Since there are not many document websites currently applied in FastPR, a more straightforward approach is to directly add the required websites to host_permissions.

[frank-zsy]

Since there are not many document websites currently applied in FastPR, a more straightforward approach is to directly add the required websites to host_permissions.

It is feasible if we change the permission scope, but I am not quite sure for new users what page would show?

Is the error page only shows for old users who has installed before? If so, new users won't be affect by the permission issue, so we should not change it back again.

If all_urls requires permission from new users too, we should consider to narrow the scope.

[Xsy41]

Yes, when we modify the permissions, a permission prompt will pop up in the user interface, and Chrome will disable it by default.

[Xsy41]

For new users who have never installed our extension, the following tip will appear after they click install:

[Xsy41]

Is the error page only shows for old users who has installed before? If so, new users won't be affect by the permission issue, so we should not change it back again.

Yes, the disable prompt is only shown to old users, but I think excessive permissions might cause user concerns.

[Xsy41]

Since there are not many document websites currently applied in FastPR, a more straightforward approach is to directly add the required websites to host_permissions.

Then this method is not feasible. When we need to add website permissions, a popup will prompt old users, asking whether they want to disable the extension.