| HN Mirror

Y	Hacker News new \| ask \| show \| jobs


	by achairapart 2150 days ago
	>I feel compelled to point out that this extension sends the URLs of all open tabs to algolia.com when you click the extension (at least on Chrome). Wait, how's that possible? The extension doesn't even have permission to get urls from tabs that are not the active one...

1 comments

zingermc 2150 days ago

Your comment made me dig in a little more. I was wrong, it is only fetching the current tab, although it wouldn't need more permissions to see all the tabs.

In popup.js[1]:

    chrome.tabs.query({active:true,currentWindow:true}, function(tabs){ ... })

These `active` and `currentWindow` parameters to query() [2] restrict the results to the current tab. If I remove those parameters and run in DevTools, I seem to get a full tab listing.

[1]: https://github.com/pinoceniccola/what-hn-says-webext/blob/ma...

[2]: https://developer.chrome.com/extensions/tabs#method-query

achairapart 2150 days ago

Even without `active` and `currentWindow` parameters the extension cannot get urls and titles from other tabs because it has only the `activeTab`[1] permission declared in the manifest. You need more powerful permission for that.

I think with the `activeTab` permission you still get the an object for every tab other the active one, but without access to `url`, `title` and `faviconUrl` properties.

Thanks for checking out anyway. I built this tool especially because all of the others already available were a privacy nightmare.

[1]: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...