How to know if permissions are safe to request in your Chrome Extension

[00:00] You might have noticed that when an extension updates, Chrome will sometimes disable it and ask you to accept new permissions. [00:07] That can be quite worrying as a developer. [00:09] While this is really important so that users understand when what an extension can do changes, [00:14] It does also mean a user has to make a decision about if they continue to use your extension going forward. [00:20] In this video, I'll tell you why this happens and how it works. [00:30] Welcome back to Developer Mode. Today's question is based on something that comes up a lot in the Chromium Extensions mailing list we have. [00:37] as well as something I've had developers reach out specifically with questions around. [00:41] I think we're going to breeze through things a bit more quickly this episode, but there are a few things that I want to cover by the end, including the general idea of what permissions are and then how you can test an update to see what impact it will have on your users. [00:53] So there's a whole list of permissions that an extension can request. And if we go to the Chrome for developers documentation, you can see the whole list of permissions here. [01:01] As you can see, I can scroll down quite a way. There's quite a few of these. [01:04] And these control what an extension can do and what data it has access to. [01:09] Often you might need to request a new permission for a new feature you're building, but it can be intimidating to do so if you're not sure what the result of doing so will be. [01:18] The first thing to mention is that all of the permission warnings are also displayed in our documentation. [01:23] So if I go here, I can find a particular permission. And you can see that this Downloads permission will give the warning, Manage your downloads.

[01:31] And if you don't see a permission warning listed here, then you can add the permission and there will be no impact to a user. [01:37] This is usually the case if it's a lower risk permission where we don't think we need to give an explicit prompt. [01:42] Now for permissions with warnings, adding these when your extension updates will usually cause your extension to be disabled. Chrome will show a prompt asking the user if they're comfortable with the new permissions. [01:53] So if you've ever seen that prompt where Chrome is asking you to re-enable an extension, this is why. [01:58] Now, it's important to note that this includes host permissions and matches patterns for content scripts, too. [02:03] So even if you haven't touched the permissions array, there are other situations where this can happen. [02:10] So shouldn't this video be over? Well, things get a bit more complex because Chrome has some logic where it will merge the permissions and not always show all of the permission warnings. [02:20] For example, let's say the user has already agreed to let you read and change all your data on all websites because you requested the all URLs permission. [02:29] Now you want the declarative net request permission. [02:32] Or if I search for that permission in the documentation, you can see that will normally trigger a block content on any page permission warning. But since the user's already accepted something far more broad, we actually don't require any steps from the user and we don't show an additional prompt. [02:47] Now, there are too many cases like this to document, so instead we publish this documentation on how to test and update. [02:54] and it has a few different options, but one in particular is using the extension update testing tool. And I want to show you that one in practice. So let's take a look.

[03:03] So I have a really basic Color World extension you can see here. [03:06] And I've brought this into the extension update testing tool, and I've done the basic setup so that I'm ready to go. [03:12] And if I press the Install Extension button here now, you can see we get the prompt to install the extension. And I haven't requested any permissions, so [03:20] I don't get any permission warnings here. I can just directly install the extension. [03:24] And then if I go to the extensions page, you can see that my extension has been installed. [03:29] Now we're going to go ahead and update this with a new permission. Let's say that I want that declarative net request permission that we looked at. I'm going to add that to the manifest. [03:39] and then I'm going to download the extension and bring that into the testing tool. [03:43] And actually, I need to update the version here as well, because if there's not an increase to the version number, then the browser doesn't know that there's an update available to be installed. [03:52] So I'm going to go ahead [03:54] and grab this and move it into the update testing tool. You can see we're now serving the updated version. And if I go ahead and press the update button on the extensions page, you can see that my extension has been disabled and I'm being asked to accept these new permissions to [04:08] block content on any page. [04:09] And this is exactly the same as the permission warning that users would get installing from the Chrome Web Store. [04:15] So if you have an update that you're not sure about, what I'd advise you to do is take the version that's already published, bring that into the tool, and then upload your new version. And you can use this to go through the full flow that a user would see [04:26] and check that you're comfortable with any permission warnings. [04:31] So hopefully this was helpful. If you haven't already, consider subscribing as we're planning to keep these videos coming.

[04:37] Also drop a comment if there's a particular question on extension development you'd like to see answered. [04:42] Now we've covered a number of resources here, so we'll put links to [04:45] all of those in the description. [04:47] But otherwise, thank you for watching. Until next time.