Request additional permissions immediately on clicking 'Post from URL' and only then. #2230

src/Posting/QR.coffee

@@ -430,14 +430,15 @@ QR =
   handleUrl: (urlDefault) ->
     QR.open()
     QR.selected.preventAutoPost()
-    url = prompt 'Enter a URL:', urlDefault
+    CrossOrigin.permission ->
-    return if url is null
+      url = prompt 'Enter a URL:', urlDefault
-    QR.nodes.fileButton.focus()
+      return if url is null
-    CrossOrigin.file url, (blob) ->
+      QR.nodes.fileButton.focus()
-      if blob and not /^text\//.test blob.type
+      CrossOrigin.file url, (blob) ->
-        QR.handleFiles [blob]
+        if blob and not /^text\//.test blob.type
-      else
+          QR.handleFiles [blob]
-        QR.error "Can't load file."
+        else
+          QR.error "Can't load file."
 
   handleFiles: (files) ->
     if @ isnt QR # file input

src/meta/eventPage.coffee

@@ -8,47 +8,41 @@ chrome.runtime.onMessage.addListener (request, sender, sendResponse) ->
     chrome.tabs.sendMessage sender.tab.id, {id, data: response}
 
 handlers =
-  ajax: (request, cb) ->
+  permission: (request, cb) ->
-    if request.responseType is 'arraybuffer'
+    chrome.permissions.contains
-      # Cross-origin image fetching. Need permission.
+      origins: ['*://*/']
-      chrome.permissions.contains
+    , (result) ->
-        origins: ['*://*/']
+      if result
-      , (result) ->
+        cb()
-        if result
+      else
-          ajax request, cb
+        chrome.permissions.request
-        else
+          origins: ['*://*/']
-          chrome.permissions.request
+        , ->
-            origins: ['*://*/']
+          cb()
-          , ->
-            ajax request, cb
-      return true
-    else
-      # JSON fetching from non-HTTPS archive.
-      ajax request, cb
 
-ajax = (request, cb) ->
+  ajax: (request, cb) ->
-  xhr = new XMLHttpRequest()
+    xhr = new XMLHttpRequest()
-  xhr.open 'GET', request.url, true
+    xhr.open 'GET', request.url, true
-  xhr.responseType = request.responseType
+    xhr.responseType = request.responseType
-  xhr.timeout = request.timeout
+    xhr.timeout = request.timeout
-  xhr.addEventListener 'load', ->
+    xhr.addEventListener 'load', ->
-    {status, statusText, response} = @
+      {status, statusText, response} = @
-    if @readyState is @DONE && xhr.status is 200
+      if @readyState is @DONE && xhr.status is 200
-      if request.responseType is 'arraybuffer'
+        if request.responseType is 'arraybuffer'
-        response = [new Uint8Array(response)...]
+          response = [new Uint8Array(response)...]
-        contentType = @getResponseHeader 'Content-Type'
+          contentType = @getResponseHeader 'Content-Type'
-        contentDisposition = @getResponseHeader 'Content-Disposition'
+          contentDisposition = @getResponseHeader 'Content-Disposition'
-      cb {status, statusText, response, contentType, contentDisposition}
+        cb {status, statusText, response, contentType, contentDisposition}
-    else
+      else
-      cb {status, statusText, response, error: true}
+        cb {status, statusText, response, error: true}
-  , false
+    , false
-  xhr.addEventListener 'error', ->
+    xhr.addEventListener 'error', ->
-    cb {error: true}
+      cb {error: true}
-  , false
+    , false
-  xhr.addEventListener 'abort', ->
+    xhr.addEventListener 'abort', ->
-    cb {error: true}
+      cb {error: true}
-  , false
+    , false
-  xhr.addEventListener 'timeout', ->
+    xhr.addEventListener 'timeout', ->
-    cb {error: true}
+      cb {error: true}
-  , false
+    , false
-  xhr.send()
+    xhr.send()

src/platform/CrossOrigin.coffee

@@ -131,3 +131,11 @@ CrossOrigin =
         else
           failure url
       <% } %>
+
+  permission: (cb) ->
+    <% if (type === 'crx') { %>
+    eventPageRequest {type: 'permission'}, -> cb()
+    <% } %>
+    <% if (type === 'userscript') { %>
+    cb()
+    <% } %>