Implement opt-in to userScripts API
Categories
(WebExtensions :: General, task, P2)
Tracking
(firefox134 fixed)
| Tracking | Status | |
|---|---|---|
| firefox134 | --- | fixed |
People
(Reporter: robwu, Assigned: robwu)
References
(Blocks 2 open bugs, )
Details
(Whiteboard: [addons-jira][wecg])
Attachments
(5 files, 2 obsolete files)
desktop-userscripts.png
The userScripts API (bug 1875475) requires some sort of intentional user action to opt in to the functionality.
The exact shape of the opt-in is yet to be determined; a document describing the context and examples is at https://docs.google.com/document/d/1Bx261fBL8TPAyAy_839-Rtk7C6lriaHTvex1jXaUB5c/edit.
|
Assignee | |
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
|
Assignee | |
Comment 1•1 year ago
|
||
We have finalized the design following the userScripts API opt-in doc (already linked in the initial comment).
- Figma: Extension Userscripts UX (includes mobile and desktop)
- Security review for the proposed UX is approved.
We have settled on the following design:
"userScripts"will be an optional-only permission. It cannot be requested at install time.- The permission can be requested through
permissions.request, with the following special aspects:- The
permissions.requestcall cannot take permissions other than"userScripts"- if another permission/origin is included, the permission request is immediately rejected. - The permission prompt features a double confirmation, in the form of a checkbox and extra explanatory content. The permission request can only be granted if the checkbox is also checked. The permission warning is "Allow unverified third-party scripts to access your data".
- The
- The
"userScripts"permission can be managed at the usualabout:addonspage like any other optional permission. In addition to the usual permission string, there is an extra explanatory text.
|
|
Assignee | |
Comment 2•1 year ago
|
||
UX design for the userScripts permission flow on desktop, showing user controls in about:addons and the permission request flow.
|
|
Assignee | |
Comment 3•1 year ago
|
||
UX design for the userScripts permission flow on mobile (Android), showing user controls in the Extensions Manager and the permission request flow.
|
|
Assignee | |
Comment 4•1 year ago
|
||
In this bug I'll focus on implementing optional-only userScripts permission along with the permission string. I'll file follow-up bugs for the new UX that we are introducing for the userScripts permission.
|
||
Comment 5•1 year ago
|
||
Please note the following considerations.
1. Extension does not include any unverified scripts
A warning attached to a userscript manager is misplaced as the userscript manager does not include any unverified scripts.
As an analogy, driving warnings are aimed at the driver and not the vehicle. It is the driver who chooses to behave securely or otherwise, not the car which is merely a tool. A userscript manager is the car in this example and it is the user who decides how to utilise that car. Furthermore, the warning is rather superfluous as the user installs the userscript manager with the explicit intension of running 3rd party scripts.
2. Warning might be misunderstood
"Allow unverified third-party scripts to access your data" have a broad ramification. Userscripts can get access to the user data associated with a webpage they are inserted in, but it can not get access to other user data that are in other areas such as bookmarks, history, other site passwords etc.
Users often wary about the extent of access to their private data by an extension and may misunderstand the level access.
3. Only run script from extensions or sources you trust
Wouldn't inclusion of "extensions" imply that what is found on AMO (or web store etc) are not trustworthy (especially when there are only a handful of such extensions)?
|
|
Assignee | |
Comment 6•1 year ago
|
||
This adds a permission message for the "userScripts" permission.
This also marks "userScripts" as an optional permission as a preparation
for implementing it as an optional-only permission. The implementation
and tests still expects the permission to have been granted at install
time; the next patches will update the tests and implementations to
complete the transition to an optional-only permission.
This feature is still behind a pref, off by default.
|
||
Updated•1 year ago
|
|
|
Assignee | |
Comment 7•1 year ago
|
||
Mark "userScripts" as an optional-only permission and update all tests
that expect it to be a required permission, which is not supported.
This also improves the implementation to account for the fact that a
permission can be granted post install.
The disabling of functionality upon revoking a permission will be in a
separate patch.
|
|
Assignee | |
Comment 8•1 year ago
|
||
Migrate test_ext_userScripts_mv3_csp.js to an optional-only permission.
This patch depends on https://phabricator.services.mozilla.com/D228976
and is therefore separate from the previous patches.
|
|
Assignee | |
Comment 9•1 year ago
|
||
Migrate test_ext_userScripts_mv3_messaging.js to an optional-only
permission. This patch is separate from the previous patches because the
file was introduced in the patches of bug 1911836, which has not landed
yet.
|
|
Assignee | |
Comment 10•1 year ago
|
||
|
|
Assignee | |
Comment 11•1 year ago
|
||
I'm landing the small patch with the string changes now since string freeze is tomorrow; I expect the other patches to complete review soon and can then land that later.
|
||
Comment 12•1 year ago
|
||
|
|
Assignee | |
Comment 13•1 year ago
|
||
(In reply to erosman from comment #5)
Extension does not include any unverified scripts.
A warning attached to a userscript manager is misplaced as the userscript manager does not include any unverified scripts.
The API gives extensions a way to run arbitrary code on websites. While the extension's source code itself can and will be reviewed by extension store reviewers (at https://addons.mozilla.org for Firefox), the user scripts that the extension can run are not.
- Warning might be misunderstood
"Allow unverified third-party scripts to access your data" have a broad ramification. Userscripts can get access to the user data associated with a webpage they are inserted in, but it can not get access to other user data that are in other areas such as bookmarks, history, other site passwords etc.
Users often wary about the extent of access to their private data by an extension and may misunderstand the level access.
The warning is scary, but it is an accurate reflection of the "worst case" that can happen when an extension is granted this permission. The browser is a viewer of websites and web applications, and scripts that run there can potentially do a lot of harm, including password interception.
- Only run scripts from extensions or sources you trust
Wouldn't inclusion of "extensions" imply that what is found on AMO (or web store etc) are not trustworthy (especially when there are only a handful of such extensions)?
Everyone has different criteria by which they assess trust. Reminding the user that they should double-check whether they should trust this extension is a good thing. We will include documentation on support.mozilla.org that documents the capability and what it implies.
|
||
Comment 14•1 year ago
|
||
| bugherder | ||
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
Assignee | |
Updated•1 year ago
|
|
|
||
Comment 15•1 year ago
|
||
|
||
Comment 16•1 year ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/9a6e72ab04f9
https://hg.mozilla.org/mozilla-central/rev/98624c528651
|
|
Assignee | |
Comment 17•1 year ago
|
||
The concept of "userScripts" as an optional permission is discussed in the WECG, at https://github.com/w3c/webextensions/issues/740
Description
•