Closed Bug 1441693 Opened 7 years ago Closed 7 years ago

Extensions shouldn't prompt for new permissions that are included in existing permissions

Categories

(WebExtensions :: Untriaged, defect)

Product:
WebExtensions
Component:
Untriaged
Version:
57 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1331769

People

(Reporter: bennettcyphers, Unassigned)

Details

(Whiteboard: [dev-ux])

Attachments

(3 files)

permissions-bug.png
105.84 KB, image/png
Details
Permissions dialog installing a new version over an existing version
80.01 KB, image/png
Details
The XPIs from comment 6
5.77 MB, application/zip
Details
Attached image permissions-bug.png
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0 Build ID: 20180208173149 Steps to reproduce: Update Privacy Badger from a version (2017.1.26.1) which did not explicitly contain permissions for twitter.com to a newer version (after June 9, 2017) which did. Both the old and new versions of Privacy Badger already contained permissions for all URLs. See the related Privacy Badger issue (https://github.com/EFForg/privacybadger/issues/1619) for more details. Actual results: The user was prompted to appove new permissions for privacy badger, including "access to your data from twitter.com". Expected results: The user should not have been prompted to grant any new permissions.
Correction: the permissions prompt which asked for "unlimited storage" was legitimate, and is not part of the bug.
This sounds like bug 1331769 which was fixed in Firefox 58, which Firefox version were you using?
Flags: needinfo?(bennettcyphers)
This was in firefox 57, so it might be fixed. In order to confirm, we'd like to try upgrading with the new firefox. Are there any resources to help with testing updates? It looks simple in this gif: https://bug1331769.bmoattachments.org/attachment.cgi?id=8915034. We've spent some time trying to get it to work based on the information here: https://developer.mozilla.org/en-US/Add-ons/Updates, but haven't been able to get it to work yet. Thanks.
Flags: needinfo?(bennettcyphers)
If you just want to test what happens in the browser when you upgrade from version M to version N, you can just install the new version over the old version, the browser will handle that the same way it handles applying an update it got from an update manifest. If you're publishing on AMO, AMO will produce udpate manifests for you and you shouldn't need to worry about it. If you're self-hosting and having trouble with update manifests, I would suggest using IRC or the dev-addons mailing list or filing a bug if it you can produce a reduced test case where something is not working as documented. I'm going to close this bug, please feel free to re-open if you can reproduce in a recent Firefox.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
I am not sure that installing the new version over the old version is handled the same way. If you look at the attached screenshot where I drag-and-dropped a newer XPI that adds a couple of new permissions, you'll see that instead of warning about the new permissions, the dialog lists every permission, new and old. So this doesn't help if we want to test what happens to an extension on upgrade. Could you help us figure out a straightforward way of testing upgrading in Firefox?
Product: Toolkit → WebExtensions
I would love to get some help in testing Firefox permission warnings. Like I wrote six months ago, installing the new version over the old version does not work the same way as upgrading to a new version. It works more like a new install where I am asked to confirm all permissions instead of just the stuff that changed. I just uploaded a several test variants of Privacy Badger as an unlisted add-on: https://addons.mozilla.org/en-US/firefox/addon/f762e8dc921d4eadad94/. I can install any one of these versions into Firefox, but clicking "check for updates" in about:addons doesn't lead to an update even though I have more recent versions uploaded to AMO. Testing permission warning should be a straightforward, documented process, especially given the undocumented differences in behavior between Firefox and Chrome (bug 1411999, for example).
Hi Andrew, I would appreciate any help with testing permission warnings on extension upgrade. For example, Chrome had this process documented here: https://web.archive.org/web/20180114080742/https://developer.chrome.com/apps/permission_warnings#test (it appears their instructions are gone from the latest version of the page ...)
Flags: needinfo?(aswan)
Whiteboard: [dev-ux]
Bug 1504018 is a related extension permissions issue.
At this point it appears the way to test permission warnings on extension update is to essentially self host the extension: https://bugzilla.mozilla.org/show_bug.cgi?id=1411999#c18
The link from comment 6 is 404, can you attach xpi files for the extensions you are using for testing to this bug?
Flags: needinfo?(aswan) → needinfo?(alexeiatyahoodotcom+mzllbgzll)
Sure, although this particular bug (asking for example.com host permission when you already have host permission for all URLs triggers a warning) is already resolved. I've since filed bug 1505510 to help with testing permissions on upgrade.
Flags: needinfo?(alexeiatyahoodotcom+mzllbgzll)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: