Manifest.json permissions are over-scoped

[helfrichmichael]

Hi,

Great extension and idea. I've been pretty bummed with Thingiverse continuing to deteriorate their platform, so I'm a huge fan of this idea!

Looking at the content script injection approach, the permissions are a little over-scoped IMO given the intention of this extension (it wants access to any and all websites).

Would it be possible to modify the content script matching to https://*thingiverse.com/* and/or https://www.thingiverse.com/*. This will restrict the extension to only injecting the content script into Thingiverse webpages. In the current approach, I believe this is injecting the JS into every single webpage you are visiting.

More on this here https://developer.chrome.com/docs/extensions/mv3/content_scripts/#static-declarative.

Happy to make a pull request if you're open to that also.

[stephancasas]

Hi, Michael!

Thanks for raising this issue. I agree that the permissions are over-scoped. This was an unintended consequence of adjusting the extension icon's fill colour based on context. When the frontmost tab is pointed at a location on thingiverse.com, the extension's icon should be blue. Elsewhere, it should be either a light or dark grey — based on the user's dark/light-mode preference.

I couldn't think of a way (admittedly, I didn't try very hard) to modify this (including dark/light resolution) without reading the current tab via injection, but if you can think of another option, I'd definitely be open to a pull request or a suggestion.

Thanks!

[helfrichmichael]

Thanks, I took a poke at this in #4. Let me know what you think :).

[stephancasas]

I'll take a look this evening! Thanks for taking a stab at this!