Add-on permissions

I just submitted add-on and my manifest.json’s permissions are empty. They are literally an empty array.

Why does the add-on’s product page list the permissions as: “Access your data for all websites”?

Your manifest has

"permissions": []

but it was interpreted to mean either

"permissions": ["*://*/*"]

or

"permissions": ["<all_urls>"]

? That shouldn’t happen, but perhaps it would be safer to omit the permissions key rather than list an empty one.

That may be due to the content script’s match pattern.

I tried removing the permissions option from manifest, but had no luck.

My content_scripts.matches is [":///*"]. Is there anyway to work on all pages without having such extensive permissions? I would like to explicitly not have permissions to read whatever I like from the page if possible.

Also is there a way to check for require permissions before uploading a new version?

Host permissions are currently read-write only. You can’t write without reading. And you being able to access every page’s DOM means you can factually read out just about everything. So that permission is pretty fitting, even if your extension is not actually taking advantage of everything the permission would offer. That’s what https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Request_the_right_permissions tries to address - essentially you need to communicate to the concerned user why your extensions needs those permissions.

Not sure what you mean by that. What permissions your extension will be requesting?

Does your content script need to run automatically in every page, or only on some domains, or only when a user triggers it using a toolbar button or right-click context menu?

My add-on fixes the two-finger gesture navigation in Firefox that is missing at least on Windows. I recently moved from OS X to Windows and I was very confused and upset that I couldn’t navigate using the swipe gesture.

As such I think my addon requires the content_scripps.matches == ["*://*/*"] to function on each page to keep the UX good.

I will do as Martin suggested and add a section in the description explaining why the add-on requires such vast permissions.