Bug 1308292 (webext-permissions)

(tracking) Webextensions required permissions handling

NEW
Unassigned

Status

()

Toolkit
WebExtensions: General
11 months ago
18 days ago

People

(Reporter: aswan, Unassigned)

Tracking

(Depends on: 22 bugs, Blocks: 2 bugs, {dev-doc-needed})

51 Branch
dev-doc-needed
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: triaged[permissions])

(Reporter)

Description

11 months ago
This is a tracking bug to cover the individual pieces needed to expose required webextension permissions (i.e., those in the "permissions" section of the manifest) to users when installing and upgrading webextensions.

Note that everything related to handling of optional permissions is tracked in a separate issue: bug 1197420
(Reporter)

Updated

11 months ago
Depends on: 1308295
(Reporter)

Updated

11 months ago
Depends on: 1308296
(Reporter)

Updated

11 months ago
Depends on: 1308302
(Reporter)

Updated

11 months ago
Depends on: 1308308
(Reporter)

Updated

11 months ago
Depends on: 1308309
(Reporter)

Updated

11 months ago
Depends on: 1308310

Updated

10 months ago
Whiteboard: triaged

Updated

10 months ago
Whiteboard: triaged → triaged[permissions]

Updated

9 months ago
Depends on: 1316460
(Reporter)

Updated

9 months ago
Blocks: 1234150
(Reporter)

Updated

9 months ago
Depends on: 1316996
(Reporter)

Updated

9 months ago
Depends on: 1317000
(Reporter)

Updated

9 months ago
Depends on: 1317363
(Reporter)

Updated

9 months ago
Depends on: 1317470

Updated

9 months ago
Depends on: 1317590
(Reporter)

Updated

8 months ago
Depends on: 1328339
(Reporter)

Updated

7 months ago
Depends on: 1330823
(Reporter)

Comment 1

7 months ago
Removing bugs labeled blockers that are not necessary to enable permission prompts.  Follow up items related to required permissions can still be found by searching for webextensions bugs with "permissions" in the whiteboard.
No longer depends on: 1308302, 1308308, 1328339
(Reporter)

Updated

7 months ago
Blocks: 1331618
(Reporter)

Updated

7 months ago
Blocks: 1331521
(Reporter)

Comment 2

7 months ago
Adding dev-doc-needed.  Developers don't have to take any explicit actions related to this bug, but I think it would be worth mentioning on the page that documents the manifest that some manifest declarations are exposed to users in permission prompts.
Keywords: dev-doc-needed

Updated

7 months ago
Depends on: 1333620
Depends on: 1333790
(Reporter)

Updated

7 months ago
Depends on: 1334010
(Reporter)

Updated

7 months ago
Depends on: 1332061
(Reporter)

Updated

7 months ago
Depends on: 1329942
(Reporter)

Updated

7 months ago
Depends on: 1334076
(Reporter)

Updated

7 months ago
Depends on: 1334085
(Reporter)

Updated

7 months ago
Depends on: 1334096
(Reporter)

Updated

7 months ago
Depends on: 1333262
(Reporter)

Updated

7 months ago
Depends on: 1334354
(Reporter)

Updated

7 months ago
Depends on: 1334404
(Reporter)

Updated

7 months ago
Depends on: 1334479
Depends on: 1335333
Depends on: 1335697
Depends on: 1335703
Depends on: 1335720
(Reporter)

Updated

7 months ago
Depends on: 1335985
(Reporter)

Updated

7 months ago
Depends on: 1333168
Depends on: 1313298
Depends on: 1336085
(Reporter)

Updated

7 months ago
No longer depends on: 1313298
(Reporter)

Updated

7 months ago
Depends on: 1329884
(Reporter)

Updated

6 months ago
Depends on: 1337870
(Reporter)

Updated

6 months ago
Depends on: 1337951
(Reporter)

Updated

6 months ago
Depends on: 1311815
(Reporter)

Updated

6 months ago
Depends on: 1338713

Comment 3

6 months ago
Related: https://palant.de/2016/07/02/why-mozilla-shouldn-t-copy-chrome-s-permission-prompt-for-extensions

I'm not a UX expert, but I think the reasoning of the article is well thought out and should be taken into consideration. I personally don't have any strong feelings either way (my trust mostly lies in AMO's manual review process), I just wanted to represent the other side.

Comment 4

6 months ago
As a power user who does tech support for the rest of the family, I can also support the points given in the article.

Heck, even for my own use, I generally shy away from Chrome extensions because it's just too much bother to audit them myself.

That said, I'd see a permissions system that's as on-demand as possible paired with AMO's existing auditing as a step up for two reasons:

1. In places like F-Droid where I trust the source, I use the permissions readout as a second layer of security and, more importantly, as a way to weed out stuff from developers whose development methodology I don't agree with. (Primarily relating to the practice of speculatively asking for permissions you might want later or getting lazy about how broadly you allow your core functionality to apply.)

2. On-demand permission prompting (as with Geolocation or Android 6) is a great way to allow people to say "Yes, I want to do X, but I don't want you to have the extra permissions required by feature Y which I'll never use." (For example, not everyone who uses Video DownloadHelper uses the supplementary transcoding functionality.)
(Reporter)

Comment 5

6 months ago
(In reply to Timvde from comment #3)
> I'm not a UX expert, but I think the reasoning of the article is well
> thought out and should be taken into consideration.

There was a discsussion about that post on the dev-addons mailing list last year that you can find in the archives.  The short summary is that nobody has suggested a concrete alternative to the current plan which leaves us with the choice of doing nothing or following the current plan.  We chose the second option, aware of its shortcomings but preferring those to the idea of not giving users any information.

(In reply to Stephan Sokolow from comment #4)
> That said, I'd see a permissions system that's as on-demand as possible
> paired with AMO's existing auditing as a step up for two reasons:

optional permissions (what you describe as on-demand) are slated to land in Firefox 54.

Updated

6 months ago
Depends on: 1339552

Updated

6 months ago
Depends on: 1339952
Depends on: 1340078
Depends on: 1340102
Depends on: 1340109

Updated

6 months ago
Depends on: 1340220
(Reporter)

Updated

6 months ago
Depends on: 1340135

Updated

6 months ago
Depends on: 1340443
Depends on: 1340471
Depends on: 1340501
Depends on: 1340531
Depends on: 1341240
Depends on: 1341273
Depends on: 1341286
Depends on: 1342031
Depends on: 1342052
(Reporter)

Updated

6 months ago
No longer depends on: 1342031
(Reporter)

Updated

6 months ago
No longer depends on: 1342052
Depends on: 1342133
(Reporter)

Updated

6 months ago
Depends on: 1342142
Depends on: 1342350
Depends on: 1342426

Updated

6 months ago
Blocks: 1342452
(Reporter)

Updated

6 months ago
Depends on: 1342506
Depends on: 1342896
Depends on: 1342914
Depends on: 1343179
Depends on: 1343201
Depends on: 1343222

Updated

6 months ago
Depends on: 1343498
Depends on: 1343518

Updated

6 months ago
Depends on: 1343571

Updated

6 months ago
Depends on: 1344214

Updated

5 months ago
Depends on: 1345818

Updated

5 months ago
Depends on: 1346138
Depends on: 1346722

Updated

5 months ago
Depends on: 1347063
Depends on: 1347170

Updated

5 months ago
Depends on: 1347478
Depends on: 1348854

Updated

5 months ago
Depends on: 1349189
Depends on: 1350277
Depends on: 1358431
Depends on: 1361730
Depends on: 1370523

Updated

2 months ago
Depends on: 1373176

Updated

2 months ago
Blocks: 1376793

Updated

a month ago
Depends on: 1380591
You need to log in before you can comment on or make changes to this bug.