Web extensions on update prompt for permissions even if they have <all_urls>

RESOLVED DUPLICATE of bug 1331769

Status

P2
normal
RESOLVED DUPLICATE of bug 1331769
a year ago
4 months ago

People

(Reporter: jkt, Unassigned)

Tracking

55 Branch
x86_64
Linux

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: triaged)

Attachments

(1 attachment)

(Reporter)

Description

a year ago
Created attachment 8878234 [details]
Selection_691.png

I was just prompted by Privacy Badger on update of their extension for access to twitter.com despite them already having content scripts for <all_url>.

It looks like on update we are not checking if the extension already has a superset of the URLs already being increased in the update.

Attached is the prompt I saw. As mentioned on IRC Bug 1350277 is the reason the request is listed twice so ignore that.


Aswan mentioned:

    if you have something (eg a regular permission) that uses <all_urls> and something else more specific (eg a content script on a specific host or domain), we suppress the individual host/domain since it is covered by all_urls
    but in the case of an update, we don't check host permissions against the existing host permissions.

https://dpaste.de/y0Pn is a copy of the current Privacy Badger manifest.

Updated

a year ago
Priority: -- → P2
Whiteboard: triaged

Comment 1

a year ago
I just had a user complaining about Google Search link fix extension requesting access to 200 domains on update - the update replaced http://* and https://* by a list of all Google domains. Luckily, this change was implemented while the permission prompt wasn't in the stable Firefox release yet...
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1331769

Updated

4 months ago
Product: Toolkit → WebExtensions
You need to log in before you can comment on or make changes to this bug.