The Banal Stupidity of Automated Chrome Store Reviews

For the past three years I have maintained a browser extension that I publish to both the Firefox and Chrome web stores.

I recently received an automated email from the Chrome web store overlords who had decided I was violating the “Use of permissions” policy by requesting the cookies permission “without using it”.

Here is a snippet from the manifest.json for my extension:

{
  "permissions": [
    "activeTab",
    "contextMenus",
    "notifications",
    "cookies",
    "https://<SPECIFIC_WEBSITE_RUN_BY_ME>/"
  ]
}

I request the cookies permission for https://<SPECIFIC_WEBSITE_RUN_BY_ME>/ so that I can transparently use the cookie set by that website when the user logs in to send authenticated HTTP requests from the extension. Nothing crazy:

function createRequest(query: GraphQLQuery): Request {
  return new Request(`${BASE_URL}/gql`, {
    method: "POST",
    headers: { "Content-Type": "application/json" },
    body: JSON.stringify(query),
  });
}

The email informing me of this “violation” gave me an avenue to appeal. Since this seemed like it was just a little misunderstanding, I explained how the cookie set by logging in to the website was being used to send authenticated HTTP requests from the browser extension. Silly me, of course there are no actual humans checking appeals at Google.

Upon subsequent review, we found that your item is not compliant with our “Use of permissions” policy.

Please find the details of the violation below:

Use of permissions:

• Violation: “cookies” permission is requested, but not used in the code.

• How to rectify: Remove “cookies” permission from the manifest file.

We request you to submit your item for a review with the above corrective actions. Your submission will be approved if we find it to be compliant with all our policies.

I could have appealed the rejection, but I knew how this would ultimately have to end.

let sid = await browser.cookies.get({
  name: "sid",
  url: "https://<SPECIFIC_WEBSITE_RUN_BY_ME>",
});

console.log(sid);

And just like that, I once again became compliant with the “Use of permissions” policy.

Discuss this article on /r/LGUG2Z