1745823 - Implement negative permissions

Status: ASSIGNED

(WebExtensions :: General, enhancement, P3)

Description

[Tomislav Jovanovic :zombie]

• ⬜ Introduce and maintain a second list of “negative permissions” that an extension might be blocked from accessing, despite having a containing (<all_urls>) permission granted.
• ⬜ Check the URI against the list wherever we test host permissions.
• ⬜ Allow users to revoke a permission for a specific host (through the toolbar button or about:addons) even after granting <all_urls>.
• ⬜ Introduce a new browser.pemirssions.canAccess() API method, using a similar “target” object as the new scripting API.
• ⬜ Ask feedback through the WECG on the API design.

Comment 1

[robbendebiene]

I really like the idea of having an extension with <all_urls> host permission while giving the user the control about which specific websites (or match patterns) he/she actually wants to allow.

I also like the idea of providing browser.pemirssions.canAccess() method.
I'm even in favor of adding 2 more methods (request and remove), in order to give extensions the power to (re-)request and to give up a "host permission". This way extension could basically use the permission API as a blacklist/blocklist and do not need to maintain a separate list of blocked domains/URLs. This is not only easier for an extension author but it is also easier to understand for the user, because otherwise there are two places that control if the add-on works on a certain website or not.

Just want to throw out an idea: Maybe it would be more feasible to use the already existing permissions API methods like contains, removeand request by extending the Permissions object by another property.

Comment 3

[Tomislav Jovanovic :zombie]

Attachment: Bug 1745823 - Implement Quarantined Domains list, r?willdurand,rpl