That's a good question. I don't have a good answer for you right now. We might need to see how things play out for a bit before figuring out what right course of action is.
Adam On Thu, Dec 10, 2009 at 12:04 PM, Billiam <[email protected]> wrote: > I see the need for the restriction, but there ought to be some kind of > default text on extension pages that use content scripts with http://*/* > that describes this limitation to users. > > I'm seeing a lot of comments from users asking (or complaining) that > an extension doesn't work in the gallery. Is this something that > developers should have to add to their description to avoid bad > ratings? > > > > On Dec 2, 10:22 pm, Adam Barth <[email protected]> wrote: >> One way to think about this is that the Gallery is part of Chrome's >> UI, just like the New Tab page or the Downloads page. We don't allow >> content scripts in the NTP either. >> >> Another way to think about this is that injecting a content script >> into the Gallery lets you install any extension automatically without >> user intervention, which means you effectively get the most powerful >> manifest permissions. >> >> Adam >> >> On Wed, Dec 2, 2009 at 11:23 AM, Finnur Thorarinsson >> >> >> >> <[email protected]> wrote: >> >> > Nobody is arguing this prevents extensions from doing bad things. I don't >> > think that's a problem that is easily solved within the extension system. >> > At >> > the end of the day users should install extensions from developers they >> > trust and be able to report extensions that misbehave. >> > The Abuse signal is an important part in weeding out the bad extensions so >> > yes, I think it is pretty high on the importance list. It also happens to >> > be >> > easy to make sure that that safety mechanism is not tampered with directly >> > (block content scripts for the Gallery url). >> > Sure, you can substitute the download link on the download page for Chrome, >> > but realistically how many people download Chrome from the download page if >> > they already have Chrome installed? >> >> > On Wed, Dec 2, 2009 at 11:08, Pam Greene <[email protected]> wrote: >> >> >> True, but is that a bigger problem than an extension messing with my >> >> bank's site? Or my email? Or substituting another link on the download >> >> page >> >> for Chrome itself, pointing it to a version that doesn't have the >> >> no-extensions-on-gallery restriction? >> >> - Pam >> >> >> On Wed, Dec 2, 2009 at 11:03 AM, Finnur Thorarinsson <[email protected]> >> >> wrote: >> >> >>> Well, for one an abusive extension could remove the UI in the Gallery >> >>> that allows the user to report the extension as abusive. That alone >> >>> would be >> >>> a pretty big problem. >> >> >>> On Wed, Dec 2, 2009 at 10:53, Claudio Benvenuti >> >>> <[email protected]> wrote: >> >> >>>> Ok, I'll do that. >> >>>> But.. why is the Extension Gallery going to be more vulnerable than >> >>>> any other web sites? >> >>>> Are you talking about XSS and stuff like that? >> >>>> From what I understand the content script is execute in an "isolated >> >>>> world", so what am I missing? >> >>>> I'm asking just to understand :) >> >> >>>> thanks again >> >> >>>> Claudio >> >> >>>> On Dec 2, 7:32 pm, Finnur Thorarinsson <[email protected]> wrote: >> >>>> > Yeah, it would be great to not have to worry about the security of >> >>>> > running >> >>>> > content scripts on the Gallery, but that's the world we live in. >> >> >>>> > If you are concerned about users uninstalling the extension because of >> >>>> > this, >> >>>> > then maybe you should note in the description for the extension that >> >>>> > the >> >>>> > Extension needs to be tested on pages not in the Extension Gallery. >> >> >>>> > On Wed, Dec 2, 2009 at 10:27, Claudio Benvenuti >> >>>> > <[email protected] >> >> >>>> > > wrote: >> >>>> > > Ok, thank you very much, now its clear!!! >> >>>> > > Thank you also for your precious advice about the permission on >> >>>> > > file://... >> >>>> > > already removed from my manifest :) >> >> >>>> > > I'm a bit concerned about content_scripts not running on the Chrome >> >>>> > > Extension Gallery. >> >>>> > > I think that the first action an user will do once he installs a new >> >>>> > > extension from the Chrome Extension Gallery is going to be... try >> >>>> > > the new extension... but, if extension uses content_script, it's >> >>>> > > not >> >>>> > > going to work... probably the next step will be... "Uninstall" >> >>>> > > At least... that's what I did with my own Extension :) >> >> >>>> > > Sorry for my english and for my comment, if misplaced. >> >>>> > > Thank you again >> >> >>>> > > Claudio >> >> >>>> > > On Dec 2, 6:57 pm, Finnur Thorarinsson <[email protected]> wrote: >> >>>> > > > Yes, for security reasons we don't support running content scripts >> >>>> > > > on the >> >>>> > > > Chrome Extension Gallery. >> >> >>>> > > > As for mail.google.com, it works for me, although I'm on Windows. >> >> >>>> > > > Oh, and as a side note, if your manifest includes running >> >>>> > > > content_scripts >> >>>> > > on >> >>>> > > > file://, then the users of your extension are going to have a very >> >>>> > > > scary >> >>>> > > > looking security warning when they try to install your extension. >> >>>> > > > I >> >>>> > > > recommend not having your content script run on file:// unless you >> >>>> > > > absolutely need to. >> >> >>>> > > > -F >> >> >>>> > > > On Wed, Dec 2, 2009 at 08:46, Claudio Benvenuti < >> >>>> > > [email protected] >> >> >>>> > > > > wrote: >> >>>> > > > > Hello Everybody, >> >>>> > > > > I'm developing an extension that make use of content script. >> >>>> > > > > In manifest.json I have : >> >> >>>> > > > > "content_scripts": [ >> >>>> > > > > { >> >>>> > > > > "matches": ["http://*/*";, "https://*/*";, >> >>>> > > > > "file:///*"], >> >>>> > > > > "js": ["source.js"] >> >>>> > > > > } >> >>>> > > > > ], >> >> >>>> > > > > but in some pages, likehttps://mail.google.com/mail/, or like >> >>>> > > > > my >> >>>> > > > > chrome extension dashboard >> >>>> > > > > (https://chrome.google.com/extensions/ >> >>>> > > > > developer/dashboard), my content script is not injected in the >> >>>> > > > > page, >> >>>> > > > > so my extension is not working. >> >>>> > > > > I checked this using the Developer Tools. >> >> >>>> > > > > I'm using Chromium 4.0.260.0 under linux. >> >>>> > > > > Is anyone experiencing this problem? >> >>>> > > > > Am I missing something? >> >> >>>> > > > > Thanks everybody >> >>>> > > > > Claudio >> >> >>>> > > > > -- >> >> >>>> > > > > You received this message because you are subscribed to the >> >>>> > > > > Google >> >>>> > > Groups >> >>>> > > > > "Chromium-extensions" group. >> >>>> > > > > To post to this group, send email to >> >>>> > > [email protected]. >> >>>> > > > > To unsubscribe from this group, send email to >> >> >>>> > > > > [email protected]<chromium-extensions%2Bunsu >> >>>> > > > > [email protected]><chromium-extensions%2Bunsu >> >>>> > > [email protected]> >> >>>> > > > > . >> >>>> > > > > For more options, visit this group at >> >>>> > > > >http://groups.google.com/group/chromium-extensions?hl=en. >> >> >>>> > > -- >> >> >>>> > > You received this message because you are subscribed to the Google >> >>>> > > Groups >> >>>> > > "Chromium-extensions" group. >> >>>> > > To post to this group, send email to >> >>>> > > [email protected]. >> >>>> > > To unsubscribe from this group, send email to >> >> >>>> > > [email protected]<chromium-extensions%2Bunsu >> >>>> > > [email protected]> >> >>>> > > . >> >>>> > > For more options, visit this group at >> >>>> > >http://groups.google.com/group/chromium-extensions?hl=en. >> >> >>>> -- >> >> >>>> You received this message because you are subscribed to the Google >> >>>> Groups "Chromium-extensions" group. >> >>>> To post to this group, send email to >> >>>> [email protected]. >> >>>> To unsubscribe from this group, send email to >> >>>> [email protected]. >> >>>> For more options, visit this group at >> >>>>http://groups.google.com/group/chromium-extensions?hl=en. >> >> >>> -- >> >> >>> You received this message because you are subscribed to the Google Groups >> >>> "Chromium-extensions" group. >> >>> To post to this group, send email to >> >>> [email protected]. >> >>> To unsubscribe from this group, send email to >> >>> [email protected]. >> >>> For more options, visit this group at >> >>>http://groups.google.com/group/chromium-extensions?hl=en. >> >> > -- >> >> > You received this message because you are subscribed to the Google Groups >> > "Chromium-extensions" group. >> > To post to this group, send email to [email protected]. >> > To unsubscribe from this group, send email to >> > [email protected]. >> > For more options, visit this group at >> >http://groups.google.com/group/chromium-extensions?hl=en. > > -- > > You received this message because you are subscribed to the Google Groups > "Chromium-extensions" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/chromium-extensions?hl=en. > > > -- You received this message because you are subscribed to the Google Groups "Chromium-extensions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/chromium-extensions?hl=en.
