I've been researching into this extensively, trying the plan.toggl.com permissions thingie and I realized that maybe it is not really possible to handle it as easily.

The main issue is the fact that we are currently showing in the list everything except *.toggl.com. Well, plan.toggl.com is implicitly allowed by the required permission *.toggl.com.

I've discussed this a bit with @shantanuraj and he advised me not to change the urls in the manifests, because any changes in the manifest causes more thorough check by the stores. So we considered the option to expand the Plan's item on origins.js to include another boolean property that would be checked in code to explicitely include that item in the list, despite the fact that it's a toggl domain.

However, this can't be done.

The problem is that if we are requesting the browser to add an origin that is already covered by another origin, it will not be added to the list of origins.

I've tried

chrome.permissions.request({ origins: ['http://test-string.toggl.com/'] })

and when I later check the list with getAll(), mine is not added.
When I do a

chrome.permissions.request({ origins: ['http://test-string.toggl-test.com/'] })

(note the toggl-test), then all is well, it is added to the origins as expected.

That being said, the problem with plan.toggl.com is that, while it can be shown in the list of integrations origins, it can't be disabled, as it is implicitely used by *.toggl.com. I have found no way of knowing whether the user accepted it or not (aka should I check the checkbox), because that URL is never returned from getAll (because it is already covered by the default generic toggl one).

So, in the end, I think that permissions in the manifest need to be changed after all.

Especially now after rebranding, since the permission should not state *.toggl.com, but *.track.toggl.com, since the API is now on that URL. That would automatically solve the issue with the plan.toggl.com as it would no longer be automatically covered. However, I think we are doing some subdomain contracting which would need to be adjusted as well.

Well since we are are in the post-rebrand era and we already have the themed builds out, I'm willing to take a chance with a longer review by altering the manifest

Do you know what's the final verdict on the API and supporting v8 on the new domains, I saw that it might not be the case but in my test I can see the v8 API is accessible over track.toggl.com and is probably being used by button atm

ps. We'd need access to just track.toggl.com and toggl.com not *.track.toggl.com right?