I recently made a Chrome Extension (FrontPage) which uses the New York Times API.
I send an AJAX request to the API and it responds with JSON. However, in order to be able to do so, I need to set permissions in the manifest.json file to be https://api.nytimes.com/* thusly:
...
"permissions": [ "https://api.nytimes.com/*" ],
...
in order to not have the Extension crash and burn and give a Cross Origin rejection.
However, any time a user installs my Extension from the Web Store, they get a scary looking warning along the lines of: "[The extension] Can access all your data on api.nytimes.com".
All I'm doing is sending a request and receiving + parsing a response from a public API. The warning seems excessive. I'm not storing in any way, any user data.
Is there a way around this i.e. is there a way to use an API in a Chrome Extension without displaying to the user this warning? Am I approaching this in a non-canonical way?
There is no way to do what you are asking. chrome is just informing users what your app can do. They have no way to trust you. What I suggest you do and what I have seen others do is inform potential down-loaders of the warning on your apps description page.
Something like
`Warning: you may get a scary warning message blah blah because my extension blah blah, I don't do anything with your data, I encourage you to look at the source if you are curious."
Most people are used to seeing and accepting these warnings by now anyways. Yours actually make a lot of sense, because users can intuitively see how that page is related to your extension.
Read and modify all your data on all websites you visit
Is a bit more tricky to deal with.
To more directly deal with your original question: Its the stuff you put in the "permissions" array that determines what warnings (if any) get generated.
Here is a list of all of the possible warning messages and the permissions they apply to. The page also contains a listing of the permissions which don't generate any warning messages.