Chrome Web Store issues an overly stringent warning for accessing a public API

A new Chrome Extension called FrontPage was recently created, utilizing the New York Times API.

The extension sends an AJAX request to the API and receives a JSON response. However, to make this possible, specific permissions need to be set in the manifest.json file as follows:

  ...
  "permissions": [ "https://api.nytimes.com/*" ],
  ...

If these permissions are not properly configured, the Extension may encounter a Cross Origin rejection error.

When users install the Extension from the Web Store, they are presented with a warning that states: "[The extension] Can access all your data on api.nytimes.com". Despite only retrieving public information from the API without storing any user data, this warning may seem excessive to users.

Is there a way to avoid displaying this warning to users when using an API in a Chrome Extension? Are there alternative approaches to integrating APIs into extensions without triggering such alerts?

javascriptjsongoogle-chromegoogle-chrome-extensionchrome-web-store

Answer №1

Unfortunately, there is no way to achieve what you are looking for. Chrome simply informs users about the capabilities of your app without providing any means for them to trust you. My suggestion, based on observing others in a similar situation, is to include a notice about potential warning messages in the description page of your app.

You could consider something like this:

`Warning: you may receive a scary warning message due to my extension's functionality. Rest assured that I do not misuse your data and encourage you to inspect the source code if you have any doubts."

Most users are accustomed to these warnings now and tend to accept them easily. In your case, it makes sense since users can easily see the connection between the warning message and your extension.

Reading and modifying all data on websites you visit

poses a bit more of a challenge to address.

To directly tackle your initial query: The warnings generated depend on the permissions specified in the "permissions" array.

Here is a comprehensive list of all possible warning messages and their corresponding permissions. This page also includes a list of permissions that do not trigger any warning messages.

Answer №2

When an API is made public, it typically has permissive CORS headers enabled.

There have been reports on the developers forum indicating that this is true for certain endpoints of the NYTimes API (although testing requires an API key). If CORS headers are not enabled for the specific endpoint you are using, you can make a request for them here.

If CORS headers are in place, permission for cross-origin requests to the API is not needed, and XHR should succeed regardless.

Answer №3

Xan and Luke provided accurate answers, but there is an important alternative that has not been mentioned yet:

Consider making the permission optional by requesting it at runtime along with a clear explanation of why it is necessary. It's best to ask for the permission upfront, and if the user declines, provide them with information on why they should accept.

Remember, optional permissions should only be requested after a user action. Display a modeless dialog with a button that prompts the user to grant permission when clicked. I encountered a similar issue with my extension.

In my situation, I only needed access to create and read from a specific Google Spreadsheet. However, this required requesting full access to the user's Google Drive for read/write capabilities.

Similar questions

If you have not found the answer to your question or you are interested in this topic, then look at other similar questions below or use the search

Pressing the button does not register outside of the loop function

Just as the title says, I am experiencing an issue where my click event is not being triggered when I click on my button. The button itself was created using a JavaScript loop. Interestingly, I found that when I placed my click event function inside the lo ...

javascriptjquery

Golang runtime: goroutine stack surpasses the 1 billion byte limit

Encountering an error while attempting to Marshall a nested struct object. The struct setup is as follows: type Blockchain struct{ blocks []Block `json:"blocks"` difficulty int `json:"difficulty"` } type Block struct{ index ...

jsongomarshalling

Checking for a particular element's existence in an array using jQuery

Is there a way to verify the presence of the var element in the array sites? var sites = array['test','about','try']; var element = 'other'; ...

javascriptjquery

Can you explain the function of "app.router" in the context of Express.js?

When looking at the default app.js file generated by express.js, I came across the following line: ... app.use(app.router); ... This particular line of code has left me perplexed for a couple of reasons. First, upon consulting the express api documentati ...

javascriptnode.jsexpressmiddleware

Collection of clickable images that lead to creatively designed individual pages

Being relatively new to JavaScript and jQuery, my knowledge is solid when it comes to HTML & CSS. Currently, I have a page with 20 minimized pictures (with plans to increase to 500+ images) that open into a new page when clicked. Although I have no issues ...

javascriptjqueryhtmlcssimage

Converting PHP variables to JavaScript using AJAX and XML communication

In order to gain a deeper understanding, I am determined to tackle this task without relying on jQuery. This means I am willing to reinvent the wheel in order to fully comprehend how it functions. My research has led me to believe that AJAX is the key to a ...

javascriptphpjqueryajax

Adjust the aesthetic based on whether the field is populated or empty

I have a simple text field on my website that triggers a search when the user inputs a value. I am wondering if it is possible to style the text field differently depending on whether it is empty or has content. Specifically, I want to change the border c ...

javascriptmaterial-uitextfield

The hamburger menu is only functional for a single link

I've been developing a hamburger menu for my website, and it seems to be working fine until I click on a link. Once I navigate to a new page, the menu stops responding. To fix this issue, I attempted to use window.location.reload, which worked in Chro ...

javascriptphpjqueryhtmlcss

How to Add Elements to a JSON Array using Scrapy

Currently, I am utilizing the Python framework Scrapy to scrape websites and save the collected data into a JSON array. The command I use to store the data is as follows: scrapy crawl dmoz -o items.json -t json Whenever I run this command, it generates a ...

pythonarraysjsonscrapy

Distinguishing between Javascript Array Objects and Array-Like Objects: An Elucidation

While attempting to convert an array-like object into a string using JSON.stringify, I discovered that the function was not working correctly when the array-like object was declared as an array object. For more clarity, please refer to the following --> ...

javascriptarraysjsonobjectassociative-array

Pressing the reset button on a basic calculator

I am experiencing an issue with my calculator. It works fine initially, but after using the reset button, it stops functioning properly. Currently, I only have the multiplication set up as I debug this problem. I am new to JavaScript and would appreciate a ...

javascriptjqueryhtmlcss

Which is the better option: using a nonce for each function or one for all AJAX calls?

My approach to security in WordPress includes the use of nonces, which serve as an additional layer of protection. These nonces are essentially hashes that are sent to the server and change every few hours. If this hash is missing, the request will be dee ...

javascriptjqueryajaxwordpressnonce

Issue with Accessing Subdomain Cookies on Express Backend Using CORS and Cookie-Parser

I am currently tackling a challenge in my MERN (MongoDB, Express, React, Node.js) application related to receiving cookies from subdomains in my Express backend. Despite implementing CORS and cookie handling successfully for a simple localhost origin, I am ...

javascriptnode.jsreactjsexpresswildcard-subdomain

"Why does Sequelize migration successfully create a table, yet the models are unable to establish a connection to the

I am currently learning how to use the Sequelize ORM in Node.js and save data in a PostgreSQL database. My primary objective is to insert user data into the Users table. I have successfully created the table using migration; however, I am encountering dif ...

javascriptnode.jspostgresqlsequelize.jssequelize-cli

The jQuery click event is failing on the second attempt

My PHP code dynamically generates a list, and I want to be able to delete rows by clicking on them. The code works fine the first time, but not the second time. HTML <li> <div class="pers-left-container"> <img src="<?php ech ...

javascriptjqueryajaxonclick

Retrieving data from ResourceBundle to populate annotations

Is it possible to read a value for an annotation from a ResourceBundle in Java? Instead of hardcoding @JsonProperty("myPropertyName"), I'm curious if there's a way to dynamically assign the value like @JsonProperty(env.getProperty("json.property. ...

jsonspringspring-mvcannotations

The application encountered an issue: Unable to find a suitable converter for the returned value, which is of the class org.json.JSONObject

I have been working on developing a REST API using the Spring framework. One of the functionalities in my API is to call another API, such as Oracle ORDS. private String processBackground(String object, String url, HttpMethod template) { HttpHead ...

jsonspring

Struggling to extract information from a serialized Python object using JavaScript/jQuery?

Continuing the previous issue with an AJAX call to a Django view (restframework endpoint), the problem has now shifted to the frontend. $.ajax({ url: '/notify/', type:'GET', dataType: '', success: function (da ...

javascriptjquerypythondjangoserialization

Dynamic Data Visualization: Implementing smooth transitions to update a plot when the dataset's x-axis scale is modified

I encountered some issues while working with a Histogram chart using d3, as demonstrated in this example. After plugging in my data, I noticed strange side effects such as retained information from previous datasets on the x-axis scale even after refreshin ...

javascriptangularjsd3.jssvg

I need assistance from someone knowledgeable in HTML and CSS. I am trying to create a div that dynamically increases its width until it reaches a specific

Seeking assistance to create a dynamic div that continuously expands its width until it reaches a maximum of 540px. It should start at 75px. Below is the HTML and CSS code I've attempted: .Loading-Screen { background-color: black; color: alicebl ...

javascripthtmlcss