Fix extension permissions #292
Conversation
1. Add permission for (api.)wakatime.com on Firefox.
2. Request permission for the API URL set by the user.
3. Restrict content script to run on meet.google.com only.
This involves some strange logic about the host permissions:
- If an origin is listed in `content_scripts.matches`, then the
browser shows that the extension has permission to access data on
that website. However, the background service worker cannot send
cross-site requests to that URL.
- If an origin is listed in both `content_scripts.matches` and
`optional_host_permissions`, then the background service worker can
send cross-site requests to that URL.
So it's not possible to inject content scripts on all websites but
conditionally ask for cross-site request permissions for specific
websites only.
Now it seems that the content script only works for meet.google.com.
More websites may be added if needed later.
An alternative solution is to use `scripting.registerContentScripts()`
to dynamically register content script for websites, so that users
can reject permissions on some websites and continue to use the
extension. This could be implemented later.
This should fix wakatime#291
|
Well, I misread the code. The content script is useful on all websites, not only meet.google.com. |
|
|
|
I messed up with my experiment results and AI responses about permissions and content scripts. Let me do some fresh experiments to see what's the best solution. |
|
Yep, the content script runs on all websites sending a postMessage to the background script. The background script determines if the current tab should be tracked or not, then sends the heartbeat to the WakaTime API... but the background script doesn't need any permissions and isn't restricted by CORS when making requests. |
|
I found some strange undocumented behavior about host permissions. I doubt it could be some browser bugs. We can first make the WakaTime extension work, and I can do further research and maybe report it to Chromium and Mozilla later. |
Add permission for (api.)wakatime.com on Firefox.
Request permission for the API URL set by the user.
Restrict content script to run on meet.google.com only. This involves some strange logic about the host permissions:
content_scripts.matches, then the browser shows that the extension has permission to access data on that website. However, the background service worker cannot send cross-site requests to that URL.content_scripts.matchesandoptional_host_permissions, then the background service worker can send cross-site requests to that URL.So it's not possible to inject content scripts on all websites but conditionally ask for cross-site request permissions for specific websites only.
Now it seems that the content script only works for meet.google.com. More websites may be added if needed later.
An alternative solution is to use
scripting.registerContentScripts()to dynamically register content script for websites, so that users can reject permissions on some websites and continue to use the extension. This could be implemented later.This should fix #291