Facebook API Question posted in
The official documentation for the Facebook APIs can be found here.

Constantly getting the rejection – "Due to the Host Permission, your extension may require an in-depth review which will delay publishing."

I am trying to publish the extension to chrome app store. I tried many times but getting rejected every time,

the menifest file is:-

{
  "name": "App name",
  "description": "Blank!",
  "version": "0.0.0.1",
  "manifest_version": 2,
  "icons": {
    "128": "icon.png"
  },
  "background": {
    "page": "background.html",
    "persistent": false
  },
  "browser_action": {
    "default_icon": "icon.png",
    "default_popup": "popup.html",
    "default_title": "Name"
  },
  "content_scripts": [
    {
      "all_frames": true,
      "css": ["css/main.css"],
      "js": [
        "js/jquery-3.1.0.min.js",
        "js/popup.js",
        "main.js",
        "js/dashboard.js"
      ],
      "matches": [
        "*://*.facebook.com/*/*/requests/",
        "*://*.facebook.com/*/*/requests",
        "*://*.facebook.com/*"
      ],
      "run_at": "document_end"
    }
  ],
  "content_security_policy": "script-src 'self' https://apis.google.com 'unsafe-eval'; object-src 'self'",
  "update_url": "https://clients2.google.com/service/update2/crx", 
  "oauth2": {
    "client_id": "xxxxxx-xxxxxxxxxx.apps.googleusercontent.com",
    "scopes": [
      "https://www.googleapis.com/auth/spreadsheets"
    ]
  },
  "permissions": [
    "tabs",
    "storage",
    "notifications",
    "identity",
    "*://*.herokuapp.com/*"
    ],
  "web_accessible_resources": ["*.png"]
}

THe answers that I am submitting is like so-

Permission justification

Error Due to the Host Permission, your extension may require an in-depth review which will delay publishing.

  1. tabs- to get the current tab url or location.
  2. storage – to store the user token for authentication and user specific data.
  3. notifications – to show the messages to the user when they logged in or logged out.
  4. identity – to authorize user using google
  5. Host permission –
    1. https://.facebook.com/ = to get the facebook page URL and get the facebook group Id from the url
    2. https://.facebook.com//*/requests/ = to get the request page inside the facebook and hence to activate the extension feature related to that group
    3. https://.herokuapp.com/ = to access the apis from the backend server and to manage all the basic functionality.
  6. Remote code – Yes, I am using remote code – I have called the google api module (https://apis.google.com) for adding the data to the user’s given google sheet.

I have tried more than 5 time in a row, still gets rejects with the same error.
Let me know where I am making mistake.

Tags:

3

Answers


  1. Chosen as BEST ANSWER
    0

    I have found that it's necessary to submit the privacy policy and terms of services links to the chrome store account section.

    Hope it worked for you also.


  2. 0

    Nobody knows how Chrome performs their reviews but at a minimum you should carefully go over the permissions, remove the ones you don’t need and restrict the ones you have. I don’t know how your extension works but it looks like there’s a ton you can do here:

    • "tabs – to get the current tab url or location" – You shouldn’t need this permission to get the current tab URL, only for more invasive queries.

    • "https://.herokuapp.com/" – This should be limited to the host you need to communicate to. Why would you need to communicate to any Heroku app at all?

    • "storage – to store the user token for authentication and user specific data." – Are you sure you need this? Test without it.

    • "script-src … ‘unsafe-eval’" – This is a massive security risk. You’d be best to change your implementation to not need this.

    • "object-src ‘self’" – Why do you need this? You probably don’t.

    • For the content_security_policy, you’d be better adding "default-src ‘none’;" to remove all permissions, then only add in only the ones you need.

    • "Remote code – Yes, I am using remote code – I have called the google api module" – Why do you need remote code for this? You should be able to implement this with JavaScript contained within your app + HTTP requests.

    Hope that helps. The opaque Chrome review process is horrible.

    Login or Signup to reply.
  3. 0

    For me, I was getting that message not because it was failing the review, but because I had not yet filled out the box "Host permission justification". You need to fill out this in order to be able to submit, otherwise it fails the form validation as it’s a mandatory field.

    enter image description here

    In my case host permission was required because I was using a regex for a content script in the manifest file.

    After completing the host permission justification field, I was able to submit. As the message suggests, requiring this permission could mean the review takes longer than if it is not required.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search