How can I restrict my addon's permissions?

Add-ons Development
#1

Hi!

I have a Google Translate WIP WebExtension.

It does nothing fancy. It simply does this to all pages the user wants to translate.

I would like to give my addon the minimum permissions it needs but it does not work.

I want to add this:

"*://translate.google.com/*",
"*://www.gstatic.com/images/branding/*",
"*://www.google.com/images/*"

But it does not work unless I set this

"http://*/*",
"https://*/*",

What do do?
Thank you!

#2

I think I solved it myself! :smiley:
I think I needed activeTab for some reason.

#3

This is a pretty cool extension. :slight_smile:

Saves me from having to paste a link in google translate.

1 Like
#4

Thank you @Kenny_D! Glad you like it!

It’s even better: If you run something on localhost I think it can translate it. I need this at work :smiley:

I used to use S3 Google Translate but it has really bad performance.

The addon is under review now.

#5

I can give you an unlisted signed version if reviewing takes long :wink:

#6

It’s fine. I have signing turned off cause I am also a extension developer. Here are some things I found.

  1. Script does not load on certain websites (github and this website) giving an error:
    Error: Error: Script returned non-structured-clonable data
  2. If you spam the browser action button, it creates many of those scripts. So you would have to click the X on each one of them (minor bug)
  3. It would be nice to have the extension to have an active mode where it translates the current website. So that on a page navigation on that website, I don’t have to click the browser action each time. (Use case: Visit a foreign news website -> translate page -> click on an article I like to read -> article is already translated)

Though it seems like you are using Google Translate’s remote external script, which I don’t know how much control they would give you in implementing 3.

1 Like
#7

I will look into the issue 1) it might be a CSP thing.

  1. I noticed that but I don’t know how to fix it. I will try to figure out a solution.

  2. I accept pull requests for this :smiley:

1 Like
#8

I am also an extension dev and I never felt the need to disable the addon signing. Why do you need this? @Kenny_D

#9

Although if I’m not mistaken, AMO does not allow remote execution of scripts. So you would have to package Google Translate’s scripts in your extension, but ask a reviewer to make sure.

1 Like
#10

So I can test my extension normally in my main browser and fix stuff as needed without adding an extra step of signing my extension and not being able to use that version number anymore.

#11

You can try putting the scripts locally.

#12

CSP also affects local requests. I don’t think I can go around it without doing something really hacky. I think addons should not respect CSP rules since they have their own permission system.

Not sure about the remote code thing. I will execute remote code from the web site that I asked permissions from. It will not be in a priviledged context. I will see how that can work out. https://developer.mozilla.org/en-US/Add-ons/AMO/Policy/Reviews

#13

It failed review for the reasons you mentioned. I made an unlisted version of it in case you are interested. I hope I can make it pass the review.