Permissions required?

[Matir]

Is there a meaningful difference between <all_urls> and "https://*/*", "http://*/*" in how this extension uses things? It would seem to preclude file://, ftp://, and chrome-extension:// URLs, though I believe it can still access its own extension resources.

[mandatoryprogrammer]

It would still be able to access its own origin (e.g. chrome-extension://randomextid, all extensions can with zero permissions declared), and I'm not sure there is a meaningful distinction here. Not sure how ftp:// works, but file:// you have to explicitly toggle a setting in the extension's specific chrome://extensions setting page which seems unlikely to happen/be part of an attack.

For 99% of use cases, I'd imagine if an extension has https://*/* and http://*/* then it's basically functionally equivalent to <all_urls>. Same for if someone used *://*/* (also a valid host match pattern apparently).

Were you thinking the docs should be a bit more clear on this point?

[Matir]

Yeah, it might not be bad. I thought (and in my own testing, it appears correct) that "https://*/*", "http://*/*" just works, but I was wondering if there was an edge case I was not considering.