Clever Geek Handbook

Excessive warning from Chrome Web Store for using public API

I recently made a Chrome extension ( FrontPage ) that uses the New York Times API.

I am submitting an AJAX API request and responding with JSON. However, in order to do this, I need to set permissions

in the file manifest.json

as https://api.nytimes.com/*

follows:

  ...
  "permissions": [ "https://api.nytimes.com/*" ],
  ...

to avoid crashing and burning Extension and not giving Cross Origin rejection .

However, anytime a user installs my Extension from the online store, they get a scary looking warning along the lines: "[Extension] Can access all your data on api.nytimes.com".

All I do is send a request and receive + parse the response from the open API. The warning seems overwhelming. I do not store any user data in any way.

Is there a way to get around this, for example, is there a way to use the API in a Chrome extension without displaying this warning to the user? Am I approaching this in a non-canonical way?

+3


source to share


3 answers


There is no way to do what you ask. chrome is just informing users about what your application can do. They have no way to trust you. What I suggest you do, and what I have seen, is to inform potential users about loading a warning on your application description page.

Something like

`Warning: you might get a dreaded blah blah warning because my extension is blah blah, I'm not doing anything with your data, I urge you to look at the source if you're interested.

Most people are used to seeing and accepting these warnings anyway. You actually make a lot of sense because users can intuitively see how this page is related to your extension.

Read and change all of your details on all websites you visit.



Harder to figure out.

To deal more directly with your original question: its stuff that you put in a permissions array that determines which warnings (if any) are generated.

Here is a list of all the possible warning messages and the permissions to which they apply. The page also contains a list of permissions that do not generate any warning messages.

+2


source


If the API is public, chances are that it has CORS permissive headers.

Some anonymous evidence from the developer forum says this applies to the NYTimes API, at least for some endpoints (can't test it without an API key). If it is not enabled for the endpoint you are using, you can request this .



In that case, you don't need cross-origin request permission for this API, XHR should succeed anyway.

+2


source


Xan and Luke's answers are of course correct, but did not mention an important alternative to help you:

You can make this an optional permission and request it later at runtime, leading up to an explanation as to why it is necessary (it is better to ask for it first, and if the user refuses, then explain to them what they should accept).

Just remember that additional optional permissions have to be set after user action, so show a modeless dialog with a button and ask for permission when the button is clicked. I had a similar problem in my extension.

In my case, I just needed to create and read a specific google spreadsheet, but that means asking my entire google read / write drive.

+1


source






More articles:


All Articles