Open Bug 1787179 Opened 2 years ago Updated 1 day ago

Introduce a mechanism to enable users to opt in to extension functionality

Categories

(WebExtensions :: General, enhancement, P3)

enhancement

Tracking

(Not tracked)

People

(Reporter: robwu, Unassigned)

References

(Depends on 1 open bug, Blocks 3 open bugs)

Details

(Whiteboard: addons-ux)

In addition to the effort of giving users more control over which websites an extension can access (bug 1711787), we should also consider controls to enable us to offer powerful extension functionality with explicit post-user install consent. This could cover features that are only useful to a small subset of extensions, and that are powerful enough that they should not be granted when a user mindlessly clicks through an installation prompt.

Examples of such features are the ability to downgrade security headers (bug 1787155), local file access (bug 1246236), code execution for user script managers (bug 1687782).

A potential way to implement this is by withholding (internal) permissions by default, and allow users to opt in via the Add-on manager UI (about:addons).

Severity: -- → N/A
Priority: -- → P3
Whiteboard: [addons-ux]
Whiteboard: [addons-ux] → addons-ux

Chrome has shipped a comparable feature, tied to their existing "Developer Mode" checkbox at their extension management page.
Originally developed to restrict the Chrome-only debugger API to developers (https://crbug.com/1267489), the feature has since been decoupled from debugger and attached to the userScripts API instead (https://crbug.com/1495451). Chrome's current documentation for the feature is at https://developer.chrome.com/docs/extensions/reference/api/userScripts#developer_mode_for_extension_users

The difference between what I proposed here and the flag in Chrome is that I intended this to be a per-extension toggle, not a global one.

Blocks: 1875475
Depends on: 1917000
No longer blocks: 1875475
You need to log in before you can comment on or make changes to this bug.