The following post was written by Brandon Venery of Team Spockholm. Those who are wondering what the little Spockholm icon next to your Chrome browser bar is all about or why you needed to give additional permissions to use the Spockholm Mafia Toolbar will find answers. The best part of all this is that Facebook won't be able to break some of our favorite Spocklets anymore.
Recently you may have noticed your Spockholm Toolbar in Chrome went missing. A quick search and you found out a recent update caused it to become disabled in your extensions.
You may wonder why you need to allow more permissions to use it now. This is due to the newest features, I'll explain the permissions in more detail below but the quick answer is for the new feature to work, it needs to be able to load "facebook.com","spocklet.com", and "facebook.mafiawars.zynga.com."
Once the toolbar is re-enabled you should now see a small Spock guy in the top right of your browser.
This new feature allows you to avoid this error and run any slew of facebook based scripts without issues. As you can see though, Switch is the only script (right now) that is a default script. You can add your own though with ease. Click on the "Add New Script" button and you'll get a new screen that looks like this:
If you're trying to add a script not on "spocklet.com" you'll get the message above. ANOTHER PERMISSION? Well yes. To load the script, the extension needs to be able to load that website. Initially for safety and trying to keep new permissions to a minimum, it only requests the ones that are truly needed. All subsequent ones you can request as needed. When you hit the "Request the Permission" button you'll get a screen like this:
If you allow it, your script will now show in the list
If you ever need to remove a script, all you have to is right click on it and hit ok on the confirmation.
From here you can go about all your Facebook scripting needs by just clicking on whichever script you want to use! If you're still unsure, here is a video demo of an earlier version that works the same. http://screencast.com/t/T02ic9pqw
The following is Geek Mode explanation of the permissions and why Chrome's wording is a bit harsh. Continue reading if you so desire, but not relevant to actual script use.
This extension uses the chrome extension API's to accomplish the task. It takes link to the script and passes it to the background page which fires off a XMLHttpRequest to load that script. In normal browsing this would be restricted due to cross site restrictions (a browser security feature, you don't want any old site loading scripts and running them). Chrome Extensions are powerful though in that they can bypass this, but to do so they need explicit permission access to these websites. You can grant these multiple ways, either by defining the websites individually in the manifest or just allowing all_urls. Spockholm Toolbar chose to allow only the specific ones initially, but allow users to request additional ones as needed by using another of the extension API's. The loaded script is then executed using Chrome's execute script API. Now in my opinion, Chrome kind of scaremongers the permissions with its wording of "Can access all data on X site." While you can access the site, it doesn't give it any form of special permission that allows it to take passwords and sensitive data. Only the data that is on the page is available. This is not to say evil developers could not create a way to record things that you enter, but this is why you only install scripts and such from authors and developers you trust.