Indeed, some features are only gated by a privileged signature check and not by a privileged permission. If the goal is merely to recognize supposedly privileged add-ons, then that can be done by recommending privileged add-ons to include a privileged permission (or even a dummy permission) as I mentioned in comment 3. Otherwise, if we really want to check the use for every individual feature, then we'd need to introduce a new permission (or manifest key) for features that are not already behind a permission or manifest key. The full list of features tied to the privileged state (= signed with a privileged signature / being a built-in extension / loaded temporarily with the experiments enabled preference) is as follows: - bug 1323845, bug 1454820 - manifest.json's `experiment_apis` to load run unsandboxed code with chrome privileges - bug 1365349, bug 1543204 - manifest.json's `hidden` property to hide privileged/built-in extensions. - bug 1457865 - manifest.json's `l10n_resources` to allow localization of manifest properties. (the above APIs are tied to a manifest key and don't require a new permission; the following ones may need a new permission) - bug 1580816 - l10n API in (privileged) extension documents. - bug 1674383 - `SharedArrayBuffer` API for privileged extensions (in extension process only). - bug 1593651, bug 1608373 - expose `respectBeConservative` via `privacy.settings` to privileged extensions. - bug 1593635 - expose `tlsVersionRestriction` via `privacy.network` to privileged extensions. - bug 1525718 - privileged extensions can be enabled by default in private browsing mode. - bug 1729969 (https://hg.mozilla.org/mozilla-central/rev/63cdac6cec7e) - to allow a privileged add-on to load extension scripts in the main process. A new permission would make more sense than the current implementation, but the check as a whole is expected to be a temporary hack. - bug 1326572 - `geckoProfiler` API (predates the `PRIVILEGED_PERMS` logic below) requires a privileged signature or be built-in, or be listed in the `extensions.geckoProfiler.acceptedExtensionIds` pref. - bug 1394579, bug 1710917 - supports SVG context-fill for privileged Mozilla add-ons (with `@mozilla.com`/`@mozilla.org` ID suffix). - Permissions requiring privileged signature in `PRIVILEGED_PERMS`: https://searchfox.org/mozilla-central/rev/3407e72ceb5039da514c03ae61bd279b1725c3b2/toolkit/components/extensions/Extension.jsm#165-172 - bug 1280235 - `mozillaAddons` permission (see comment 3) - bug 1280234 - `telemetry` API - bug 1547285 - `urlbar` API - bug 1536658 - `normandyAddonStudy` API - bug 1542403 - `activityLog` API - bug 1550605 - `networkStatus` API - bug 1518843, bug 1601067 - (Android-only) `geckoviewAddons` and `nativeMessagingFromContent` permissions (meant to be used by built-in extensions to communicate with the app). - bug 1739746 - (Android-only) `nativeMessaging` permission restricted to privileged extensions (on desktop any extension can use `nativeMessaging`).
Bug 1739114 Comment 5 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Indeed, some features are only gated by a privileged signature check and not by a privileged permission. If the goal is merely to recognize supposedly privileged add-ons, then that can be done by recommending privileged add-ons to include a privileged permission (or even a dummy permission) as I mentioned in comment 3. Otherwise, if we really want to check the use for every individual feature, then we'd need to introduce a new permission (or manifest key) for features that are not already behind a permission or manifest key. The full list of features tied to the privileged state (= signed with a privileged signature / being a built-in extension / loaded temporarily with the experiments enabled preference) is as follows: - bug 1323845, bug 1454820 - manifest.json's `experiment_apis` to load run unsandboxed code with chrome privileges - bug 1365349, bug 1543204 - manifest.json's `hidden` property to hide privileged/built-in extensions. - bug 1457865 - manifest.json's `l10n_resources` to allow localization of manifest properties. (the above APIs are tied to a manifest key and don't require a new permission; the following ones may need a new permission) - bug 1580816 - l10n API in (privileged) extension documents. - bug 1674383 - `SharedArrayBuffer` API for privileged extensions (in extension process only). - bug 1593651, bug 1608373 - expose `respectBeConservative` via `privacy.settings` to privileged extensions. - bug 1593635 - expose `tlsVersionRestriction` via `privacy.network` to privileged extensions. - bug 1525718 - privileged extensions can be enabled by default in private browsing mode. - bug 1729969 (https://hg.mozilla.org/mozilla-central/rev/63cdac6cec7e) - to allow a privileged add-on to load extension scripts in the main process. A new permission would make more sense than the current implementation, but the check as a whole is expected to be a temporary hack. - bug 1326572 - `geckoProfiler` API (predates the `PRIVILEGED_PERMS` logic below) requires a privileged signature or be built-in, or be listed in the `extensions.geckoProfiler.acceptedExtensionIds` pref. - bug 1394579, bug 1710917 - supports SVG context-fill for privileged Mozilla add-ons (or unprivileged ones with `@mozilla.com`/`@mozilla.org` ID suffix). - Permissions requiring privileged signature in `PRIVILEGED_PERMS`: https://searchfox.org/mozilla-central/rev/3407e72ceb5039da514c03ae61bd279b1725c3b2/toolkit/components/extensions/Extension.jsm#165-172 - bug 1280235 - `mozillaAddons` permission (see comment 3) - bug 1280234 - `telemetry` API - bug 1547285 - `urlbar` API - bug 1536658 - `normandyAddonStudy` API - bug 1542403 - `activityLog` API - bug 1550605 - `networkStatus` API - bug 1518843, bug 1601067 - (Android-only) `geckoviewAddons` and `nativeMessagingFromContent` permissions (meant to be used by built-in extensions to communicate with the app). - bug 1739746 - (Android-only) `nativeMessaging` permission restricted to privileged extensions (on desktop any extension can use `nativeMessaging`).