Closed Bug 1502987 Opened 6 years ago Closed 4 years ago

Should be able to request specific host permission when not already granted

Categories

(WebExtensions :: General, enhancement, P3)

Product:
WebExtensions
Component:
General
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: freaktechnik, Unassigned)

References

Details

(Whiteboard: [permission])

Attachments

(1 obsolete file) 

Specific host permissions are more powerful than wildcard host permissions in Firefox. They allow bypassing tracking protection.

When an extension requests a specific host permission but already has <all_urls> or similar the permission is not requested, since the permission manager assumes that it is already granted and fully included in <all_urls>.

However if a permission for a specific host is not already granted, the request should always be shown, so extensions can disable tracking protection for specific hosts by user interaction, even when they want to disable CORS everywhere, for example.
Priority: -- → P2
Whiteboard: [permission]
Flags: needinfo?(mixedpuppy)
See Also: → 1514054

There was probably a reason for the ni? but I've no idea what.

Flags: needinfo?(mixedpuppy)
Type: defect → enhancement
Priority: P2 → P3

We are running into this with Livemarks, a recommended extension. We already request permission: ["<all_urls>"], because we want to be able to handle opening RSS URLs like https://magic.wizards.com/en/rss/rss.xml by showing a preview. For some RSS feeds however this doesn't work like Gmail or Reddit.
We get an error message like:

Request to access cookie or storage on “https://mail.google.com/mail/u/0/feed/atom” was blocked because it came from a tracker and content blocking is enabled.

To give our users a chance to add these RSS feeds my idea was to extend our code for manually adding RSS feed URLs by first requesting the appropriate permission like browser.permissions.request({origins: ["https://mail.google.com/"]}). Now we come back to this bug: Firefox always resolves this request to true and doesn't ask the user for permission and of course doesn't add the more specific host permissions that we need to bypass the cookie/storage blocking.

Assignee: nobody → mixedpuppy
Status: NEW → ASSIGNED

With the tracking protection use case addressed, do we want to close this one?

Or do we still want to keep it open somehow, to have the possibility of the following:

  • request <all_urls>
  • request example.com
  • revoke <all_urls>
  • still have the ability to access example.com

^ see comment 5

Do you want to keep this bug and the patch open or can it be closed?

Flags: needinfo?(mixedpuppy)

Assuming that bug 1629436 has made this more generic and we do not need host-specific permissions to deal with TP (and other stuff), I'd say lets close this for now unless/until we have a solid reason to do it.

Flags: needinfo?(mixedpuppy) → needinfo?(rob)

Bug 1629436 solved this for extension pages, but (intentionally) not for content scripts.

I agree with closing this until there is a solid reason.

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Flags: needinfo?(rob)
Resolution: --- → WONTFIX
Assignee: mixedpuppy → nobody
Attachment #9136499 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: