63

I am trying to understand the working of Google chrome extensions. I was studying the manifest.json file where I came across the permissions "http://*/*", "https://*/*" and "<all_urls>"

Can anybody explain what do these permissions mean?

TheRookierLearner
  • 3,643
  • 8
  • 35
  • 53

3 Answers3

127
  • "<all_urls>": matches any URL that starts with a permitted scheme (http:, https:, file:, or ftp:).
  • "http://*/*": Matches any URL that uses the http: scheme.
  • "https://*/*": Matches any URL that uses the https: scheme.
  • "*://*/*": Matches any URL that uses the https: or http: scheme.

These permissions are required if your Chrome extension wants to interact with the code running on pages.

Match patterns documentation

zcoop98
  • 2,590
  • 1
  • 18
  • 31
PSL
  • 123,204
  • 21
  • 253
  • 243
  • 4
    *b.t.w.*, although the *manifest.json* should be Unicode-encoded, I've seen a lot of extensions escaping the `<`, `_` and `>`, to their's equivalent Unicode-format of `"\u003Call\u005Furls\u003E"`. I've asked around, and apparently some developers have used validation mechanism, which then validated the JSON "invalid" because of those characters. *Just in-case you were wondering..*. –  May 11 '15 at 16:41
  • 3
    Testing this in Chrome 43, I don't believe matches "chrome-extension" any more (if it ever did). Also, see documentation for supported formats: https://developer.chrome.com/extensions/match_patterns – deadbeef404 May 29 '15 at 04:52
1
<url-pattern> := <scheme>://<host><path>
<scheme> := '*' | 'http' | 'https' | 'file' | 'ftp'
<host> := '*' | '*.' <any char except '/' and '*'>+
<path> := '/' <any chars>

The meaning of '*' depends on whether it's in the scheme, host, or path part. If the scheme is *, then it matches either http or https. If the host is just *, then it matches any host. If the host is .hostname, then it matches the specified host or any of its subdomains. In the path section, each '' matches 0 or more characters. The following table shows some valid patterns.

Gopal Meena
  • 11
  • 2
0

To make SPL's answer a bit more concrete: from https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions

For example, consider an extension that wants to run a script in the current page when the user clicks a browser action. If the activeTab permission did not exist, the extension would need to ask for the host permission <all_urls>. But this gives the extension more power than it needs: it could now execute scripts in any tab, any time it likes, instead of just the active tab and only in response to a user action.

Having worked on a few Firefox extensions, I found that it is often the case that <all_urls> is needed rather than activeTab because when users change the options for the extension, one has to inform all the tabs that the options has changed so that the extension can behave according to the new settings. The alternative is to use activeTab but then the extension has to re-load all the options from storage.local just before carrying out its function. This is acceptable if the functions provided by the extension is not used frequently.

tst
  • 479
  • 4
  • 7
  • Actually, there is another way to handle option changes without the need for . You just need to monitor changes in the content script via browser.storage.onChanged.addListener. – tst Oct 28 '22 at 04:56