Closed Bug 1931554 Opened 3 months ago Closed 18 days ago

Add userScripts permission notice in add-on-specific settings in the Extensions Manager

Categories

(Fenix :: WebExtensions, task)

Product:
Fenix
Component:
WebExtensions
Platform:
All
Android
Type:
task

Tracking

(firefox136 verified)

Status:
VERIFIED FIXED
Milestone:
136 Branch
Tracking Flags:
Tracking Status
firefox136 --- verified

People

(Reporter: robwu, Assigned: robwu)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [addons-jira])

Attachments

(2 files)

Bug 1931554 - Add extra warning for userScripts permission in mobile Add-ons Manager
48 bytes, text/x-phabricator-request
Details | Review
1738578328314.JPEG
32.58 KB, image/jpeg
Details

In bug 1917000 I will be adding a permission string for the "userScripts" permission on mobile (as mozac_feature_addons_permissions_userscripts_description in strings.xml). With this, the permission will appear as desired in the settings page for individual add-ons in the Extensions Manager.

As shown in the UX design at https://bugzilla.mozilla.org/show_bug.cgi?id=1917000#c3, there should also be an additional notice, with the following content:

Unverified scripts can pose security and privacy risks, such as running harmful code or tracking website activity. Only run scripts from extensions or sources you trust.

On desktop, this notice is added to about:addons in bug 1931545.

The above string should also appear in a permission prompt, for which I will file a separate bug.

Blocks: 1931556

Note: In the desktop mocks, there were two variations of the message, as seen at https://searchfox.org/mozilla-central/rev/86c208f86f35d53dc824f18f8e540fe5b0663870/toolkit/locales/en-US/toolkit/global/extensionPermissions.ftl#36-41

The reasoning is that in about:addons, there is more space for a string than in the prompt.
On mobile, the prompt and extension manager UI have approximately the same (small) amount of vertical space, so the string should be the short version, i.e.:

Unverified scripts can pose security and privacy risks. Only run scripts from extensions or sources you trust.

I confirmed this with Content (Emily).

To test (in a Nightly build), prepare a test case and then :

First, prepare add-on:

  1. Download the contents of the userScripts-mv3/ directory from https://github.com/mdn/webextensions-examples/pull/576
  2. Create a zip file with its content (make sure that the directory content is at the top level, and NOT userScripts-mv3/). Choose "userScripts-mv3.xpi" as the file name.
  3. Put it on the device: adb push userScripts-mv3.xpi /sdcard/Download/userScripts-mv3.xpi

To test in a Nightly build, launch the app and:

  1. Visit about:config
  2. Search for l.sig to find xpinstall.signatures.required. Toggle the pref to make sure that its value is false.
  3. Tap on the + to add a new pref:
    • Name: extensions.userScripts.mv3.enabled
    • Toggle Boolean value, to true
    • Tap on "Create" to save the pref.
  4. Tap on the triple-dot menu, swipe down until the Settings menu item is visible and tap on it.
  5. Swipe down until the "About Firefox" row is visible, and tap on it.
  6. Tap many times on the Firefox logo to unlock the "Secret settings" feature.
  7. Go back (to the Settings menu). Now there will be an "Install extension from file" menu item.
  8. In the file picker, select the userScripts-mv3.zip file. Confirm installation.
  9. After installing, close the menus, click on the triple-dot menu and click on Extensions, then click on the "User Scripts Manager extension" that you just installed.
  10. Click on the Permissions row. That should display the permission string and a warning card as seen in the screenshot at https://bugzilla.mozilla.org/show_bug.cgi?id=1917000#c3 . Note that the string is slightly different from the mock (per comment 1).

If you do not see the "Allow unverified third-party scripts to access your data" toggle, confirm in about:config that you really set the prefs in the correct way. Then remove the extension and restart from step 7.

Assignee: nobody → rob
Status: NEW → ASSIGNED
Pushed by rob@robwu.nl: https://hg.mozilla.org/integration/autoland/rev/2a17a8d98a0d Add extra warning for userScripts permission in mobile Add-ons Manager r=willdurand,twhite,android-reviewers

https://hg.mozilla.org/mozilla-central/rev/2a17a8d98a0d

Status: ASSIGNED → RESOLVED
Closed: 18 days ago
status-firefox136: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 136 Branch

Verified as Fixed. Tested on the latest Nightly for Android (136.0a1 Build #2016071263, hg-eb7c95baf7aa+, GV: 136.0a1-20250201090348, AS: 136.20250129144653) on an Oppo Reno6 5G running Android 13.

On the “Permissions” page of the extension (as mentioned in Comment 2) there is an optional permission stating Allow unverified third-party scripts to access your data and its’ corresponding toggle and a warning card beneath it, stating Unverified scripts can pose security and privacy risks. Only run scripts from extensions or sources you trust.. See attached screenshot for more details.

Status: RESOLVED → VERIFIED
status-firefox136: fixedverified
Attached image 1738578328314.JPEG
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: