We officially locked in the main branch this morning and hit submit on the Chrome Web Store. And almost immediately, we got slapped with an automated rejection.
The violation code was “Purple Potassium.”
If you are a Chrome extension developer, you probably already know what that means: an over-permissioning error. The automated scanners flagged our manifest.json because we requested the scripting permission, but the scanner couldn’t find a single instance of chrome.scripting.executeScript() or insertCSS() anywhere in our background worker.
The scanner was absolutely right. Because Cabeza relies on injecting content scripts declaratively via the content_scripts array in the manifest, the dynamic scripting permission was completely unnecessary dead weight. It was a leftover artifact from early local testing.
We stripped the unused permission out, ran a final build check, and took the opportunity to officially bump the version number from our beta v0.1.36 straight to v1.0.0. Itβs cleaner, safer, and exactly what the Web Store guidelines recommend.
The new, strictly-scoped V1.0.0 payload has been repackaged and resubmitted to the review queue. Now, we wait for Monday.
Leave a Reply