Bug 1308292 (webext-permissions)

[meta] (tracking) Webextensions required permissions handling

RESOLVED FIXED

Status

P2
normal
RESOLVED FIXED
3 years ago
2 months ago

People

(Reporter: aswan, Unassigned)

Tracking

({dev-doc-complete, meta})

51 Branch
dev-doc-complete, meta
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: triaged[permissions])

(Reporter)

Description

3 years ago
This is a tracking bug to cover the individual pieces needed to expose required webextension permissions (i.e., those in the "permissions" section of the manifest) to users when installing and upgrading webextensions.

Note that everything related to handling of optional permissions is tracked in a separate issue: bug 1197420
(Reporter)

Updated

3 years ago
Depends on: 1308295
(Reporter)

Updated

3 years ago
Depends on: 1308296
(Reporter)

Updated

3 years ago
Depends on: 1308302
(Reporter)

Updated

3 years ago
Depends on: 1308308
(Reporter)

Updated

3 years ago
Depends on: 1308309
(Reporter)

Updated

3 years ago
Depends on: 1308310

Updated

3 years ago
Whiteboard: triaged

Updated

3 years ago
Whiteboard: triaged → triaged[permissions]

Updated

2 years ago
Depends on: 1316460
(Reporter)

Updated

2 years ago
Blocks: 1234150
(Reporter)

Updated

2 years ago
Depends on: 1316996
(Reporter)

Updated

2 years ago
Depends on: 1317000
(Reporter)

Updated

2 years ago
Depends on: 1317363
(Reporter)

Updated

2 years ago
Depends on: 1317470

Updated

2 years ago
Depends on: 1317590
(Reporter)

Updated

2 years ago
Depends on: 1328339
(Reporter)

Updated

2 years ago
Depends on: 1330823
(Reporter)

Comment 1

2 years ago
Removing bugs labeled blockers that are not necessary to enable permission prompts.  Follow up items related to required permissions can still be found by searching for webextensions bugs with "permissions" in the whiteboard.
No longer depends on: 1308302, 1308308, 1328339
(Reporter)

Updated

2 years ago
Blocks: 1331618
(Reporter)

Updated

2 years ago
Blocks: 1331521
(Reporter)

Comment 2

2 years ago
Adding dev-doc-needed.  Developers don't have to take any explicit actions related to this bug, but I think it would be worth mentioning on the page that documents the manifest that some manifest declarations are exposed to users in permission prompts.
Keywords: dev-doc-needed
(Reporter)

Updated

2 years ago
Depends on: 1334010
(Reporter)

Updated

2 years ago
Depends on: 1332061
(Reporter)

Updated

2 years ago
Depends on: 1329942
(Reporter)

Updated

2 years ago
Depends on: 1334076
(Reporter)

Updated

2 years ago
Depends on: 1334085
(Reporter)

Updated

2 years ago
Depends on: 1334096
(Reporter)

Updated

2 years ago
Depends on: 1333262
(Reporter)

Updated

2 years ago
Depends on: 1334354
(Reporter)

Updated

2 years ago
Depends on: 1334404
(Reporter)

Updated

2 years ago
Depends on: 1334479
(Reporter)

Updated

2 years ago
Depends on: 1335985
(Reporter)

Updated

2 years ago
Depends on: 1333168
(Reporter)

Updated

2 years ago
No longer depends on: 1313298
(Reporter)

Updated

2 years ago
Depends on: 1329884
(Reporter)

Updated

2 years ago
Depends on: 1337870
(Reporter)

Updated

2 years ago
Depends on: 1337951
(Reporter)

Updated

2 years ago
Depends on: 1311815
(Reporter)

Updated

2 years ago
Depends on: 1338713

Comment 3

2 years ago
Related: https://palant.de/2016/07/02/why-mozilla-shouldn-t-copy-chrome-s-permission-prompt-for-extensions

I'm not a UX expert, but I think the reasoning of the article is well thought out and should be taken into consideration. I personally don't have any strong feelings either way (my trust mostly lies in AMO's manual review process), I just wanted to represent the other side.

Comment 4

2 years ago
As a power user who does tech support for the rest of the family, I can also support the points given in the article.

Heck, even for my own use, I generally shy away from Chrome extensions because it's just too much bother to audit them myself.

That said, I'd see a permissions system that's as on-demand as possible paired with AMO's existing auditing as a step up for two reasons:

1. In places like F-Droid where I trust the source, I use the permissions readout as a second layer of security and, more importantly, as a way to weed out stuff from developers whose development methodology I don't agree with. (Primarily relating to the practice of speculatively asking for permissions you might want later or getting lazy about how broadly you allow your core functionality to apply.)

2. On-demand permission prompting (as with Geolocation or Android 6) is a great way to allow people to say "Yes, I want to do X, but I don't want you to have the extra permissions required by feature Y which I'll never use." (For example, not everyone who uses Video DownloadHelper uses the supplementary transcoding functionality.)
(Reporter)

Comment 5

2 years ago
(In reply to Timvde from comment #3)
> I'm not a UX expert, but I think the reasoning of the article is well
> thought out and should be taken into consideration.

There was a discsussion about that post on the dev-addons mailing list last year that you can find in the archives.  The short summary is that nobody has suggested a concrete alternative to the current plan which leaves us with the choice of doing nothing or following the current plan.  We chose the second option, aware of its shortcomings but preferring those to the idea of not giving users any information.

(In reply to Stephan Sokolow from comment #4)
> That said, I'd see a permissions system that's as on-demand as possible
> paired with AMO's existing auditing as a step up for two reasons:

optional permissions (what you describe as on-demand) are slated to land in Firefox 54.

Updated

2 years ago
Depends on: 1339552

Updated

2 years ago
Depends on: 1340220
(Reporter)

Updated

2 years ago
Depends on: 1340135

Updated

2 years ago
Depends on: 1340443
(Reporter)

Updated

2 years ago
No longer depends on: 1342031
(Reporter)

Updated

2 years ago
No longer depends on: 1342052
Depends on: 1342133
(Reporter)

Updated

2 years ago
Depends on: 1342142

Updated

2 years ago
Blocks: 1342452
(Reporter)

Updated

2 years ago
Depends on: 1342506

Updated

2 years ago
Depends on: 1343498
Depends on: 1343571

Updated

2 years ago
Depends on: 1344214

Updated

2 years ago
Depends on: 1345818

Updated

2 years ago
Depends on: 1346138

Updated

2 years ago
Depends on: 1347063

Updated

2 years ago
Depends on: 1347478

Updated

2 years ago
Depends on: 1349189

Updated

2 years ago
Depends on: 1373176

Updated

2 years ago
Blocks: 1376793

Updated

2 years ago
Depends on: 1380591

Updated

2 years ago
Keywords: meta
Priority: -- → P2

Updated

2 years ago
No longer depends on: 1329884

Updated

2 years ago
No longer depends on: 1340102

Updated

2 years ago
No longer depends on: 1340109

Updated

2 years ago
No longer depends on: 1340471

Updated

2 years ago
No longer depends on: 1340531

Updated

2 years ago
No longer depends on: 1342506

Updated

2 years ago
No longer depends on: 1343179

Updated

2 years ago
No longer depends on: 1343222

Updated

2 years ago
No longer depends on: 1343518

Updated

2 years ago
No longer depends on: 1345818

Updated

2 years ago
No longer depends on: 1346722

Updated

2 years ago
No longer depends on: 1347170

Updated

2 years ago
No longer depends on: 1361730

Updated

2 years ago
No longer depends on: 1370523

Updated

2 years ago
No longer depends on: 1343201

Comment 6

2 years ago
All remaining bugs have been moved over to bug 1401643, since we think the core functionality is there.

Updated

2 years ago
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
I just saw this, since it got resolved :).

I think the request in comment 2 is already covered by the text in https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/permissions:

"If you request permissions using this key, then the browser may inform the user at install time that the extension is requesting certain privileges, and ask them to confirm that they are happy to grant these privileges. The browser may also allow the user to inspect an extension's privileges after installation."

So I'm just marking this one dev-doc-complete. But let me know if we need anything else here.
Keywords: dev-doc-needed → dev-doc-complete

Updated

9 months ago
Product: Toolkit → WebExtensions

Updated

2 months ago
No longer depends on: 1380591
Summary: (tracking) Webextensions required permissions handling → [meta] (tracking) Webextensions required permissions handling
You need to log in before you can comment on or make changes to this bug.