Removed from the chrome webstore

[Procyon-b]

I regularly test one of my own extensions, and one of it capabilities is to bulk-download crx packages of extensions that I have currently installed.
"Enhanced History" isn't available anymore (2020/06/04).
The last time I made the test, May 27 2020, it was downloaded.

[3rock618]

You can find it here. https://www.crx4chrome.com/extensions/blpnkmdkoapbdhpmemnaikpbhajknmdb/

[Procyon-b]

I've a local copy of crx files of all extensions installed (past and present).
It's nice to have a backup available when something like this happens, or if a functionality is removed.

[PsychoData]

Anyone have an idea why this dissappeared from Chrome?

[Procyon-b]

I have no idea. Only @akatrevorjay knows what reason appears in the developer dashboard.
It's probably something related to the new policies, but I don't know what in particular. There was a a time in late 2018, when the extension was unpublished (see #3), and akatrevorjay had to resubmit it several times before it was accepted.

[PsychoData]

Yeah, I figured as much. Seems like Google is just being a pill with the requirements maybe from that previous thread.

Installing from Dev Mode is just annoying cause then Chrome complains at you

[PsychoData]

Threw together some more detailed instructions for manual installation too
PR #13

[akatrevorjay]

Hi everyone. I was speaking with Google about this before the extension was removed, and while I was awaiting a response from them inquiring for further information, they just removed it. I find the way they handle these things extremely frustrating.

What supposedly needs done is drilling down the permissions of the extension to be only what they need to be. This may already be the case, I haven't had time to look yet, I've been very busy as of late. I do hope to take a look this week, but if anyone else wants to take a look have at it! If the permissions are as low as they need to be already, then I need to explain why each permission requested is required to Google.

[Procyon-b]

I also find their behaviour frustrating. If we can believed their rejection message, you can ask questions and interact with the reviewers. But the only responses I've received in the past where variations of the original rejection, with no answer to my question(s) (except for the last message where one word was inserted to hint on the permission causing problem).

I also think that filling in the "privacy" form for the extension is important. For each permission listed, you have to comment/explain why you need that one particularly.

[akatrevorjay]

I also find their behaviour frustrating. If we can believed their rejection message, you can ask questions and interact with the reviewers. But the only responses I've received in the past where variations of the original rejection, with no answer to my question(s) (except for the last message where one word was inserted to hint on the permission causing problem).

this -- they always pull the same thing on me. I ask for specifics, and they email me back the same email with a single word bolded, but never actually answer my questions.

What's irritating is why make me go waste my own time to figure out the exact points they already are aware of that they want changed? Why not just tell me?

[Procyon-b]

What's irritating is why make me go waste my own time to figure out the exact points they already are aware of that they want changed? Why not just tell me?

Exactly. That information should already be included in the original rejection message.

[natevw]

Skimming through the manifest.json, it's unclear why parts of this line are neccessary:

"content_security_policy": "script-src 'self' https://ssl.google-analytics.com https://platform.twitter.com https://www.google.com https://apis.google.com; object-src 'self';",

Didn't all the Google-y stuff and all the analytics already get stripped out? Probably doesn't need to allow scripts from any 3rd parties anymore.

Then of course all the permissions:

"permissions": [
    "chrome://favicon/",
    "history",
    "tabs",
    "contextMenus",
    "storage",
    "unlimitedStorage",
    "identity",
    "sessions",
    "downloads",
    "idle",
    "webNavigation",
    "webRequest",
    "webRequestBlocking"
  ],

Is there a particular need for the identity one?

Also it looks like there might be a new way of getting favicons? https://groups.google.com/a/chromium.org/forum/#!topic/chromium-extensions/CIdvm4zolUg [or maybe not, see e.g. https://stackoverflow.com/a/58668230/179583 for potential tips?]

It'd be great if someone could go through these one at a time, check them out on https://developer.chrome.com/extensions/declare_permissions and see if the underlying API is even used anymore by the code. (Usually it's a pretty simple mapping e.g. webNavigation would normally be via calls to stuff within chrome.webNavigation, storage used via chrome.storage, etc. etc.)

[user8446]

You can also d/l the zip then unzip and place folder in a permanent location (don't delete after installation). Go to the extension page and enable developer mode. Click "Load unpacked" and select the extension folder.

[Procyon-b]

I haven't paid attention to you previous message (it's not as if I could have done something).
Are you sure you have seen it on the webstore between July 2020 and last month?

The developer mode is very useful. I have a bunch of my own extensions, and modified ones, loaded like this. Unfortunately normal users won't use this method. "enhanced history" is probably not targeted to that audience anyways.

[PsychoData]

It'd be great if someone could go through these one at a time

• "permissions": [
  • "chrome://favicon/",
    • used by underscore.js here and used heavily in the Templates use 1, use 2, use 3, use 4
  • "history",
    • yep this is definitely going to be needed - usage example
  • "tabs",
    • used with settings page to link to Settings/ClearBrowserData
  • "contextMenus",
    • used in PageContextMenu, and SelectionContextMenu
      • these look like they are still in-place, but these Pages were fairly heavily involved in the untrackification so maybe they aren't used anymore?
  • "storage",
    • used by Historian for caching last search,
    • it is also used by Chrome-Sync, with some possibly concerning language? "CreateSpy",
    • it is also used by the Statistics page (which is broken in my current client)
  • "unlimitedStorage",
    • If ONLY the Last search is Cached - that should be well under the default 5MB limit.
    • Also looks like storage is used heavily used by Chrome-Sync
    • Chrome-Sync looks like it aims to sync Tags about sites through Chrome Sync, which I could see potentially growing to a size large enough to be needing more than the 5MB pretty easily.
  • "identity",
    • there are several functions named "Identity" but it does NOT look like the Identity API is used
  • "sessions",
    • This is used by Historian.js - it looks like mostly around showing results from multiple Devices
  • "downloads",
    • Used in several parts of Historian.js, search_results_view, Visits_results_View
  • "idle",
    • Supposed to be used to count time if idle on the statistics page
  • "webNavigation",
    • I don't see anything directly using this? But Backbone.js does seem to have some "navigate" methods that relate to filling/loading search results in the Main View and Visits_results_view
  • "webRequest",
    • I don't see anything directly using this?
  • "webRequestBlocking"
    • I don't see anything directly using this?

"content_security_policy": "script-src 'self' https://ssl.google-analytics.com https://platform.twitter.com https://www.google.com https://apis.google.com; object-src 'self';",

I am not 100% familiar with this part, but I could find references to some places, mentioned below

• content_security_policy
  • script-src
    • 'self'
      • Yep, definitely lots of scripts in this repo we will need to load
    • https://ssl.google-analytics.com
      • I don't see any where that uses this one any more
    • https://platform.twitter.com
      • used by Twitter Widgets in Settings View
    • https://www.google.com
      • I don't see any where that uses this one any more
    • https://apis.google.com;
      • used in settings_view for plusone.js
      • Looks like this is essentially used to... dynamically create and then load a script, which the guidance on ContentSecurityPolicy seems to be firmly against
  • object-src
    • 'self';
      • I am guessing this will be necessary, but I don't fully understand the distinction from script source above

I could see Google's reviewers being somewhat against the plusone.js function since it seems to be dynamically loading in script content from a website, and possibly from the Twitter buttons.
If we dropped off the Google +1 script, and fancy Twitter buttons/widgets, then I don't think we're referencing any external code, and could simplify the Content Security Policy a LOT.
And test removing the unchecked Permissions/entries above as well

[natevw]

There appears to be a version of this now offered by "chromio.dev" at https://chrome.google.com/webstore/detail/better-history/egehpkpgpgooebopjihjmnpejnjafefi — any relation to the opensource efforts here? Or maybe someone just did the work themselves privately to offer a version themselves.

Haven't downloaded it yet or peeked inside to see if it's cleaned up but the screenshots look quite similar to the original extension while the developer does seem to have addressed some of the permissions issues:

But I suppose it may still [or may not — again, I haven't checked at all!] include unwanted analytics/trackers if the publisher has revived the plugin as anything but a labor of love.

Further update: the extension description does include:

We do not track any type of your data, usage of this extension or any website usage. Your extension settings exclusively stored inside your browser. We never touch or see this data.

and Privacy Practices tab says:

The publisher has disclosed that it will not collect or use your data

So 🤞 but this might just be someone bringing the extension back in cleaned up form!

Further further update:

I went ahead and installed it as a lazy way to get the CRX bundle. The interface is quite a bit more full featured than I remember this one being and the codebase appears to be quite different. Several of the JS files have "zinlab" in their name so I wonder if the extension was created by this dev shop:

I didn't notice anything obviously nefarious through very some cursory searches through the current (v4.0.2) extension code. So afaict someone invested some time to create an apparently brand new remake of this idea, which is great but of course I don't know and can't vouch for their motivations.