That granularity exists -- it's called activeTab: https://developer.chrome.com/extensions/activeTab

(Though it might not be possible to modify the referer with activeTab alone :/)

Nifty tip. Let's try it, and see if it works.

Edit: Sorry bud. I gave it a shot, and `activeTab` doesn't allow you to modify the "Referer" header.

Yeah, if you really want to do this, you can use chrome.permissions with "optional_permissions" set in your manifest requesting all urls -- then call permissions.request() on invocation to add a specific host.

See: https://developer.chrome.com/extensions/permissions

There is always the option of not messing with the request at all. Instead actually have it redirect through google. For example you could have the background script do:

  chrome.browserAction.onClicked.addListener(function(tab) {
    chrome.tabs.executeScript({
      code: 'window.stop(); window.location = "http://www.google.com/badurl/' + encodeURIComponent(tab.url) + '";' 
    });
  });

and then you can have a content script run on "http://www.google.com/badurl/*" which just does:

  window.location = decodeURIComponent(window.location.pathname.split("/")[2]);

Now that is super brittle compared to your solution, but it does work(for the sites I tried, some may require you to actually fake a search query). It only requires the activeTab permission and content script permissions on one page.

You could dynamically (and temporarily - use chrome.permissions.remove when the tab navigates or closes) request the webRequest permission for the current host when the user clicks the browser action icon. Yes, that would mean clicking again to confirm whenever the user wants to use the extension, although it's possible that Chrome will remember what permissions have been granted and not prompt the user for future use on the same site.

Alternatively, it would be good if extensions could have a whitelist and/or blacklist of sites that they are enabled on, with most extensions having a default blacklist of all financial sites, banks, brokerages, email accounts, etc. Perhaps also create a way for corporations to blacklist their intranets. It makes me very nervous that if some extension owner sells out to the wrong person, suddenly they could see my private information.

Agreed -- see this never-ending Chrome bug: https://code.google.com/p/chromium/issues/detail?id=177351

Yeah and then you could extort people for money like the AD-Block guy!

I haven't used AdBlock for a year or so now, but I'm fairly certain sure his model was donationware. Did something change recently?

The AdBlock Plus guy gets paid by companies to put their site on the "unobtrusive ads" list -- those ads don't get blocked for the majority of AdBlock Plus users.

Yeah, especially that last part. It would be great if all permissions started with "Upon page load..." or "Upon clicking the extension icon..."

The issue is that if it can modify one page, it can use that to inject code to request data from any web site. Those requests will contain your cookies for those sites so your data can be revealed.

I'm not expert on security, but wouldn't that only apply to sites that have XSS vulnerabilities? The extension script only needs to have the same trust level as the top-level HTML in order to do its thing, in most cases.

At the moment, the ask is that users put 100% trust into some extension from the Chrome Web Store. It's not clear that Google does much to ensure that the companies are even who they say they are. It's a completely unreasonable ask, in my opinion. Then, in other areas, Google is hyper-sensitive about security. Eg. Chrome, under some circumstances, won't even let users download zip files anymore without trying to intervene. (https://code.google.com/p/chromium/issues/detail?id=423217)