Manifest V3 extensions with low privilege activeTab shows annoying blue dot for all websites
Categories
(WebExtensions :: General, defect)
Tracking
(firefox117 affected, firefox118 affected, firefox119 affected, firefox120 affected, firefox121 affected)
People
(Reporter: robert, Unassigned, NeedInfo)
References
(Blocks 1 open bug)
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0
Steps to reproduce:
- Develop an new Manifest V3 low privileges extension using only 'activeTab' permission as recommended on MDN:
"permissions": [
"activeTab",
"scripting"
]
- Loading the extension in Firefox.
Actual results:
For every website there is a blue dot asking for permissions on the extensions menu button and on the extension button. This is annoying, the idea of the "activeTab" permission is that an extension can do things on a website with running an extension action, without annoying the user with permissions prompts or like this, the blue dot.
Expected results:
An extension with simple permissions like this, should not be asking for permissions with the blue dot on every web page. These kind of dots are annoying because it notifies the user something is new or needs attention, and on this case it isn't true. The extension action will run only when the button is activated
Reverting to a Manifest V2 extension with the same permission doesn't show the blue dot.
|
||
Comment 1•3 months ago
|
||
The Bugbug bot thinks this bug should belong to the 'WebExtensions::Untriaged' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
||
Comment 2•3 months ago
|
||
Hello,
I reproduced the issue on the latest Nightly (119.0a1/20230903210251), Beta (118.0b4/20230903180219) and Release (117.0/20230824132758) under Windows 10 x64 and macOS 11.3.1.
I will set the issue to NEW, however, in my opinion the display of the attention dot on each page is useful and correctly implemented. The user should be notified that an extension needs explicit permission to run, then let the user decide if the user shall allow it or not and not grant the permission automatically. On the other hand, if the dot is not displayed and an extension needs permission to run, the user might think the extension does not work since the permission was not granted and the user was not notified that he should do so.
I will NeedInfo one of our developers to ask for a second opinion on this.
|
Reporter | |
Comment 3•3 months ago
|
||
I can't talk for every user but I find these dots annoying for things that don't requires my immediate attention. As an example, It is like the red dot on Edge to use a Microsoft account, the dot is placed there because a lot of people will get annoyed and just make an account to get rid of it.
As I explained on the original report, If I switch the manifest to version 2, there is no request for permissions at install time, no blue dot on every site and even I can access protected information like tab.url.
If the blue dot was important, it should have been important on V2 manifest too.
As a side note, a V3 extension with only optional permissions:
"optional_permissions": [
"*://*/*",
"activeTab",
"scripting"
]
In order to request permissions for each site if needed at runtime, shows the blue dot for every site. The idea of them being optional is that the extension can do some operation without these permissions and later ask for them if required.
|
||
Updated•3 months ago
|
|
||
Comment 4•2 months ago
|
||
I think it's worth noting that this issue occurs if the extension only requests the "activeTab" permission. To reproduce it, add the following text to a file named "manifest.json" and load it as a temporary extension.
{
"name": "Blue dot",
"version": "0.1",
"manifest_version": 3,
"permissions": [ "activeTab" ],
"action": {}
}
According to MDN:
If an extension has the activeTab permission, then when the user interacts with the extension, the extension is granted extra privileges for the active tab only.
The MDN article doesn't indicate that the user must grant permission for every website in order for the extension to make use of tab-related functionality that the "activeTab" permission would allow.
|
||
Comment 6•24 days ago
•
|
||
This issue also affects our addon, which has the tabs permission, making it virtually useless.
Firefox for Android has the same issue, and the situation is worse: the addon’s script injection doesn’t work until you open the UI (popup on desktop) through the Add-ons menu, and there is no indication like a blue dot.
|
||
Comment 7•24 days ago
•
|
||
It was also reported in the Firefox support as a very confusing behavior. The affected add-on was https://addons.mozilla.org/de/firefox/addon/duplicate_tab/ which uses the activeTab permission.
I agree that the blue dot is useful if there is something actionable for the user, for example if the user has to grant a permission. But that's not the case for the activeTab permission. It's confusing because the user can't do anything and the menu still shows the blue dot, without any chance to get rid of it. And so the menu draws attention to itself all the time, even though there is nothing for the user to do. The text in the add-ons menu that the add-on requires a permission does not help to reduce the confusion at all, as the user thinks they have to do something and that's not true.
@Alex Cornestean:
The user should be notified that an extension needs explicit permission to run, then let the user decide if the user shall allow it or not and not grant the permission automatically.
Agreed. But that's not the case for the activeTab permission. The activeTab permission just works, and there is nothing the user can grant or forbid.
|
|
||
Comment 8•18 days ago
•
|
||
I’ve quickly analyzed some extensions listed on the spreadsheet linked from this Add-ons Blog post and realized that most extensions still use MV2. We gotta back out our MV3 migration as it’s not a blocker for the Android support. 😔
Description
•