Skip to content

[Devtools] Narrow host permissions to specific domains #3060

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
adamziel wants to merge 2 commits into
base: trunk
Choose a base branch
from
Draft

[Devtools] Narrow host permissions to specific domains #3060

adamziel wants to merge 2 commits into from

Conversation

@adamziel
Copy link
Collaborator

@adamziel adamziel commented Dec 17, 2025

Summary

The Chrome Web Store discourages extensions that request <all_urls> host permissions, as it triggers additional review scrutiny and can delay publishing.

This PR narrows the default permissions to known Playground domains while preserving full functionality through optional permissions:

  • Default host_permissions now only includes: playground.wordpress.net, developer.wordpress.org, developer.woocommerce.com, developer.wordpress.com, wordpress.org, localhost, 127.0.0.1
  • Added optional_host_permissions: ["<all_urls>"] for user-granted access to other domains
  • When users visit a non-allowlisted site, the DevTools panel shows a "Permission Required" screen with a button to grant access
  • Once granted, the content script injects programmatically and scanning resumes

Test plan

  • Load the extension on playground.wordpress.net - should work without any permission prompts
  • Load the extension on localhost - should work without any permission prompts
  • Load the extension on a custom domain with embedded Playground - should show permission request UI
  • Click "Grant Permission" - Chrome should show permission dialog, then scanning should resume

@adamziel
[Devtools] Narrow host permissions to specific domains
0936a68 
The Chrome Web Store discourages extensions that request access to all
URLs, as it triggers additional review scrutiny and can delay publishing.

This change limits the default host_permissions to known Playground
domains (playground.wordpress.net, developer.wordpress.org, localhost,
etc.) while adding optional_host_permissions for everything else.

When users visit a site not in the allowlist, the DevTools panel shows
a permission request UI. Once granted, the content script is injected
programmatically and scanning resumes. This gives users full flexibility
while keeping the default permission scope minimal.
@adamziel
Merge branch 'trunk' into devtools-narrow-permissions
50b2906
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

[Focus] Developer Tools [Type] Enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@adamziel