fix(extension-chrome): drop 'tabs' manifest permission + fallback#27
Merged
Conversation
The popup's getActiveTab() had a fallback that called
chrome.tabs.query({}) to find the most-recently-accessed regular tab
when the popup was opened as a page rather than the toolbar action.
That fallback required the broad 'tabs' permission, which grants the
extension read access to title + URL of ALL open tabs — way more than
the MVP needs.
The fallback existed only to make Playwright e2e tests pass: Playwright
opens popup.html as a normal page rather than via the action icon, so
'activeTab' doesn't kick in. In real Chrome, clicking the toolbar icon
IS the activeTab gesture; the user's tab is accessible without 'tabs'.
Drop the fallback. Drop 'tabs' from manifest.config.ts. The 2 affected
e2e tests are skipped with documentation linking to #3 + #5 (same
family as the Playwright SW-dispatch gap). Save-flow unit coverage in
test/save-flow.test.ts + test/bookmarks-file.test.ts remains intact;
the GitHub round-trip is also covered by sync.spec.ts.
Closes #3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The popup's getActiveTab fallback that called
chrome.tabs.query({})required the broadtabspermission (read access to ALL open tabs' title + URL). Drop the fallback and the permission. Production code now relies onactiveTabwhich Chrome grants when the user clicks the toolbar action.Why the fallback existed
Playwright e2e tests open
popup.htmlas a regular tab rather than via the action gesture, soactiveTabdoesn't kick in there. The fallback masked that test limitation by scanning all tabs.What this PR does
popup.ts'tabs'frommanifest.config.tstest/save-flow.test.ts+test/bookmarks-file.test.tsstill in place; GitHub round-trip covered bysync.spec.tsTest plan
pnpm test94/94pnpm typecheckcleanpnpm buildclean —dist/manifest.jsonno longer requeststabspnpm e2e4 passed, 2 skipped (documented)Closes #3