Proposal: add disallow_host_permissions
#123
Comments
|
This sounds good. I support this for Apple. |
|
This issue has been mentioned in Publish minutes of 2022-02-03 meeting. Apple Safari and Mozilla Firefox seem to be in favor. @dotproto mentioned he will share Google's view async. |
xeenon
added
proposal
carlosjeurissen
added
the
follow-up: chrome
rdcronin
added
supportive: chrome
|
I'm supportive of this in Chrome. Allowing extensions to opt into reduced permissions always sounds good to me. |
|
what will happen if the extension programmatically & explicitly requests permission for the disallowed host? e.g. in the case above, it's account.google.com |
|
@Jack-Works There are a few paths to take.
@Jack-Works What do you think would be most logical here? |
|
@carlosjeurissen I believe it should be rejected. |
|
@Jack-Works So basically you are saying, when an extension author requests permissions for host X, Y, and for permission Z. Say host X is a disallowed_host_permission. The whole request should be rejected and no permission request should be displayed to the user? There are some edge cases, like what if a more specific host_permission is requested. Say https://*.example.com/ is in disallowed_host_permission, and permission for https://accounts.example.com/ is requested. Should this be rejected as well? Not sure there is a concept of partially granted permissions after / during a permission prompt. This could potentially be helpful. |
|
I'd like to express support to this proposal, but I'd also like it to be extended -- the user also needs control over disallowed host permissions. Currently, the host permissions only allow developers to include a list of websites where the extension is supposed to work on, but don't allow excluding them. We often end up having extensions with The simple examples are websites with sensitive information: banking, medical records, etc. I would like to prevent extensions installed in my browser from accessing those. Instead of that I have to use a different browser to access these websites. This proposal may in the future open a way to some new API that would allow websites to indicate that the information on the website is sensitive and extensions access to it may be undesirable (and then let the user decide how to deal with it). |
|
Safari already supports the user denying host permissions in the UI. |
Seems the opposite can be useful as well. A website indicating it is of a certain type, for example, a shopping website. It could volunteer to work with a coupon extension. A lot can be done to improve the/any contract between websites and extensions in this regard. Think about opting in/out to password managers, cosmetic extensions, text writing companions and so on. Potential downsides have briefly been discussed during TPAC 2023. The concern raised was the potential of abuse by non-bank websites. Say some evil actor has a website filled with ads. It pretends to be a bank and thus could avoid the ads from being blocked. So some form of user override might be welcome. |
|
What about naming it |
Related to the 2021-10-28 meeting about host permissions. As a developer, it can be helpful to determine a set of
host_permissionswhich should not be granted to the extension.An example could be granting permission for *.google.com yet excluding accounts.google.com due to security concerns. In this case it would basically have the same effect as having the user go to accounts.google.com and then remove host permissions from there.
Status
Apple Safari: In favor, only implemented for legacy extensions for now.
Mozilla Firefox: in favor, not yet implemented.
Google Chrome: awaiting response.
The text was updated successfully, but these errors were encountered: