I like this idea a lot.  We typically give advice to install both extensions and see if there are any new warning messages (or build chromium and test it more explicitly) but these are fragile and/or painful.

I think it would be great if we could surface this somehow in the webstore for developers, so that they could check if and/or be notified that a new version of an extension will require a permissions increase.  James, what do you think?

Something like chrome.management.getPermissionWarningsByManifest but in the chrome.permissions namespace might make sense

If manifesta and manifestb return the same result with chrome.management.getPermissionWarningsByManifest, is it the case that there will be no dialog triggered on update? I have a feeling this is not true.

@2 I think that would mostly work for knowing whether a dialog *won't* show, but it seems really fragile, and knowing our permissions logic, there are probably a few edge cases.  Also, it will return false positives because removing a permission warning results in changing the permission messages (and sometimes the phrasing).  It's certainly not an ideal solution - I think we need to provide some kind of native support (either in chrome or in the webstore).

+Some folks

I agree this could be a nice feature to consider for the developer dashboard -- perhaps it'd be as simple as showing an alert in the UI when a new CRX is uploaded and we detect that the new manifest will trigger the dialogue once the update is published.

Or do you think there should be a way to test this without having to upload a new CRX version?

Depends on what you mean by "upload".  I think the developer should be able to know this *before* they publish a new version.  But I think having them upload a manifest.json file for comparison is reasonable (and necessary).

By "upload", I mean upload a new CRX package to the developer dashboard but not actually publish it.  "publish" is a separate action that takes place after uploading, and is what actually pushes the new version of the CRX (and any updated metadata, etc. etc.) to the store.  

In other words, there's not currently a way to upload a manifest.json file without uploading a full package.  So the developer would need to upload their full package (but not publish it) for us to compare the manifest files.

@6 That sounds like the simplest, best approach. Sounds like it might be hard to accomplish, if the permission/diff checking happens client side. Hopefully it's not!

There is no way we can call the chrome.management.getPermissionWarningsByManifest since this lives in the Chrome.
Though if this API can be exposed somehow in chrome.webstorePrivate we can show that information to the user.

Strike @8, I spoke too soon. We have access to chrome.management API in webstore JS code.

Even if we have access to the API we will not be able to use it correctly, since what is shown to the developer could be different that what can happen to the users of extension. This is because we will show the info from developer's Chrome, and if it somehow different in new Chrome version then it will be misleading. Though I'm not really sure if it is a problem or not.


PS:
Separate finding: 
There is only getPermissionWarningsById, not getPermissionWarningsByManifest in chrome.management.

Maybe because the getPermissionWarningsByManifest function is not inherited from AsyncManagementFunction? https://code.google.com/p/chromium/codesearch#chromium/src/extensions/browser/api/management/management_api.h&l=84

Would we even need to call that API though?  Is there a reason we couldn't just compare the permissions field in the currently published manifest vs. the newly uploaded one?

@8, 9 - see #3 for why you probably don't want to rely on chrome.management API calls.

@10 - Depends on what you mean by "compare".  The comparison logic for determining if the extension will be disabled when it's updated is rather complicated (which is why developers aren't certain when it will happen) - it's not just a case of "if there's anything new".  The easiest approach would probably be adding a new chrome.webstorePrivate API call that can compare the two versions (although, honestly, if we're adding a new API, we could even just put it in chrome.management - there's nothing secret here).  There's a little bit of a concern about chrome versions being different causing a different result, but hopefully it's relatively minor.

This got me thinking if the analog of this problem has a solution on the Play store. I couldn't determine whether there is a mechanism for this. There was at least one SO question. http://stackoverflow.com/questions/33605024/what-permissions-will-require-manual-update

@#11 -- Adding a new API in chrome.management sounds good to me. Shall we track that as the POR?

This issue has been available for more than 365 days, and should be re-evaluated. Please re-triage this issue.
The Hotlist-Recharge-Cold label is applied for tracking purposes, and should not be removed after re-triaging the issue.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot