Invoke activeTab from panel.onShown user interaction

[bgins]

Developer tools extensions commonly need to inject a content script to set up communication between a page and a devtools panel. This task requires host permissions to permit the extension to inject the content script.

Using the activeTab permission would be preferable to limit the scope of required permissions. The activeTab permission is invoked with the following user interactions:

• Executing an action
• Executing a context menu item
• Executing a keyboard shortcut from the commands API
• Accepting a suggestion from the omnibox API

Would it be possible to add the panel.onShown event as a means of invoking the activeTab permission? It seems on par with the other user interactions. In particular, it is like executing an action.

[fregante]

I agree it’s kind of expected. A dev tool already has full access to the page via chrome.devtools.inspectedWindow.eval

[zombie]

Agree with @fregante, this seams reasonable.

[oliverdunk]

I think the use case seems reasonable, but I'm not sure if panel.onShown is the right indication of user gesture for this. I'll try to follow-up with some more thoughts :)

[jeffgca]

I think the use case seems reasonable, but I'm not sure if panel.onShown is the right indication of user gesture for this. I'll try to follow-up with some more thoughts :)

It depends on what your bar is for "user gesture", but IMO it should be sufficient even if it feels awkward:

1. installing a developer tool extension is a signal of user intent to use that extension in the developer tools
2. opening the developer tools on a given site is a signal of user intent that the user wants to use the tools with the current tab
3. clicking on the devtools panel is a signal of user intent to attempt to use the extension with the current tab

If the extension needs to inject content scripts in order to function ( and many do ), then IMO the developer who is installing the devtools extension will prefer a solution like this, eg they install a devtools extensions and it "just works" without extra steps.

[bgins]

I think the use case seems reasonable, but I'm not sure if panel.onShown is the right indication of user gesture for this. I'll try to follow-up with some more thoughts :)

I'll be curious to hear which interactions you have in mind. 🙂

One use case my original proposal leaves out is a devtools extension that needs the activeTab permission when the devtools are opened, but before the panel is shown. This would be useful for recording messages sent from a page through a content script to a devtools page, then displaying results when the panel is eventually shown.

Perhaps opening the devtools could invoke the activeTab permission?

[bershanskiy]

I'll be curious to hear which interactions you have in mind.

As both a user and creator of DevTools extension, I would prefer if browser required more than onShown at least for Elements panels. Ideally, I would prefer either of two things:

• panel gets activeTab upon user interaction with the panel
• a new separate (optional and revocable in chrome://extensions or about:addons) permission (e.g., called devtoolsActiveTab) which grants active tab onShown without user action

One use case my original proposal leaves out is a devtools extension that needs the activeTab permission when the devtools are opened, but before the panel is shown. This would be useful for recording messages sent from a page through a content script to a devtools page, then displaying results when the panel is eventually shown.

Is this really a problem in practice? Extension could display a UI to request host permissions for the site and then reload the page. This is very similar to the way "Network" tab works. Also, the performance profilers typically require page reload anyway.

Perhaps opening the devtools could invoke the activeTab permission?

This seems likely to be abused

[oliverdunk]

After some more discussion, we are supportive of this in Chrome. It's not something we are likely to prioritize short term, but makes sense given that DevTools already has the "Read and change all your data on all websites" warning.