Allow extensions gallery to be scripted or reveal this restriction to all developers and users

druganatopera

druganatopera last edited by admin

Reading this discussion I've thought that it worth a separate thread.

As it said in the link above Opera for some unknown reasons does not allow injecting content scripts on extensions gallery pages (https://addons.opera.com/). Google Chrome and Firefox allow it on their extensions gallery pages. It is a bit strange, I think, because first, I didn't find that fact in documentation, and second if it is forbidden why the https://addons.opera.com/ does not programmatically excluded in <all_urls> matches?

The issue is that if this domain is missed by developer in a testing process that means only after submitting his/her perfect (as they think) extension they will discover the red color error right after the first install of an extension from... the page where scripting is forbidden. BINGO! All the rest of the world is allowed to be scripted by Opera but this particular place not.

Another part of this issue is that a user is informed on the extension page that something will happen after installing it but nothing happens and some impatient users may even uninstall actually working extension at once. BINGO! )):

What we need I think to rid of this restriction in Opera or clearly reveal that security paranoid in the Opera documentation and all the https://addons.opera.com/* pages for users.

A Former User

A Former User last edited by

Hi!

Sorry to hear you have had problems with that.

This is not a security paranoid. There are perfectly valid reasons why you're not allowed to do certain things on https://addons.opera.com

You're right we can do a better job at informing devs about that. @shwetankd, what do you think about that?

Furthermore, how did you test that Chrome allows that? I'm interested to see it. I assume you've tested that with Chrome itself.

gustavwiz

gustavwiz last edited by

@kszularz

This is not a security paranoid.

So what's the reason then?

A Former User

A Former User last edited by

@gustavwiz https://addons.opera.com is not a regular web page from the perspective of your browser. It is an add-ons store (obviously).

In developer or beta edition you can control with Chromium flags which domain serves this purpose.

The add-ons store has an access to a much broader set of APIs. We don't want the injected scripts to be able access those APIs. So yes, this is a security concern, but a valid one, not as the original post suggests.

Furthermore, there are UX concerns. An add-on might modify the store in a way which would make it impossible to install some other add-on(s) (even hiding a button or text change is not welcomed here).

Does it validate the case in your eyes @gustavwiz & @druganatopera?

gustavwiz

gustavwiz last edited by

@kszularz

I thought it was because of security concerns from the beginning, I just became surprised because of "This is not a security paranoid.", but it was apparently only the paranoid part you were denying, and not security.

Does it validate the case in your eyes @gustavwiz & @druganatopera?

Yes