Skip to content

Chrome Web Store Publication Checklist

Use this page as the source-of-truth checklist before uploading a Chrome Web Store package.

Store Listing

  • Single purpose: provide local browser tools for Salesforce administrators, developers, and integrators to inspect and operate Salesforce org data, metadata, APIs, logs, access diagnostics, and navigation from the active Salesforce session.
  • Developer relationship statement: Salesforce Inspector Advanced is an independent project and is not affiliated with, endorsed by, or sponsored by Salesforce.
  • Support URL: project issue tracker or documentation support page.
  • Privacy policy URL: the project privacy documentation.
  • Required images: extension icon 128x128, at least one screenshot 1280x800 or 640x400, and small promo image 440x280.
  • Listing copy must not claim official Salesforce status, Chrome Web Store ranking, endorsement, or certification unless separately approved.

Privacy Practices

Declare data use consistently with PRIVACY.md.

  • Website content: Salesforce page context, object metadata, record data shown or requested by user-facing tools, page URL context for active Salesforce pages.
  • Authentication information: Salesforce session cookies are read for Salesforce domains, OAuth access tokens may be generated and stored when the user enables API Access Control support, and Login Manager credentials may be saved locally by the user.
  • User activity: local query/request/history data, saved feature configuration, Record Watch runs and snapshots, API statistics when enabled.
  • Personal communications: no.
  • Financial/payment/health data: no intentional collection by the extension; Salesforce records may contain user-controlled business data depending on the org and user actions.
  • Data sale, advertising, profiling, and unrelated third-party transfer: no.
  • Remote backend operated by maintainers: no.

Login Manager credential encryption is enabled by default. A user-provided passphrase is required before credentials are persisted. Users may disable credential encryption in Login Manager settings; if disabled, credentials remain local but are not encrypted by the extension.

Permission Justifications

  • storage: stores local preferences, saved requests, histories, feature configuration, cache entries, generated OAuth tokens when configured, and Login Manager data.
  • cookies: reads Salesforce sid cookies on Salesforce domains to reuse the active browser session for Salesforce API calls and, when requested by the user, copies the current Salesforce session into an incognito Salesforce window.
  • alarms: schedules Record Watch polling and other browser-managed background checks.
  • host_permissions for Salesforce domains: limits API calls, content runtime, and page integration to Salesforce-owned and Salesforce-hosted domains supported by the extension.
  • content_scripts.matches for Salesforce domains with all_frames: injects the inspector button and contextual helpers into Salesforce Lightning, Visualforce, setup, builder, and embedded Salesforce frames.
  • web_accessible_resources: exposes only extension pages and the Lightning bridge needed by Salesforce pages to open the popup, Quick Find, tool pages, and navigation helpers.
  • incognito: split: isolates normal and incognito extension state while supporting explicit user-launched incognito Salesforce login/session workflows.

Remote Code

Select "No remote code" in the Chrome Web Store privacy form only after verifying:

rg "eval\\(|new Function|importScripts\\(|https?://[^\\\"'[:space:]]+\\.js([?\\\"'[:space:]]|$)|unpkg|cdn" addon src

The extension may fetch Salesforce API responses, user-requested OpenAPI documents, project documentation links, and uninstall/survey URLs, but those responses must not be executed as extension logic.

Package Gate

Run from a clean working tree:

npm run typecheck
npm run build
npx eslint src
npm run test:e2e:mock
npm run chrome-release-build
unzip -l target/chrome/chrome-release-build-v*.zip | rg "\\.(map|DS_Store|d\\.ts)$|test-popup|manifest-firefox|PageHeader-examples" && exit 1 || true

Load target/chrome/dist as an unpacked extension and smoke test at least:

  • Popup and Quick Find on a Salesforce page.
  • Login Manager first-run passphrase setup, save, reload, unlock, launch tab, launch window, and launch incognito.
  • Data Export query and CSV export.
  • REST Explorer request history.
  • Record Watch alarm setup and deletion.
  • Options page token deletion and cache clearing.

Submission Notes

  • Bump addon/manifest.json version before uploading a new Chrome Web Store package.
  • Fill Store Listing and Privacy tabs before using the Chrome Web Store Publish API.
  • Publish to trusted testers first when permissions, privacy fields, Login Manager, or background behavior changed.