Allowing accessing data on all websites for group policy installations with Manifest V3

karl3i · June 20, 2024, 8:40pm

We’re currently migrating our Manifest V2 extension to Manifest V3. Our extension enhances a large number of websites, so we ask the user to allow data for all websites.

On Manifest V2, the manifest entry for that looks like this:

"content_scripts": [
    {
      // ...
      "matches": ["http://*/*", "https://*/*", "file://*/*"]
    }
  ],

With our Manifest V2 extension, when we do a site install using Microsoft Group Policy, our extension is granted the ability to read all websites automatically, without any user interaction. This made a lot of sense to us, because if your web browser installation is managed, you’re giving control of your privacy and experience over to the system administrator of your machine.

In Manifest V3, it seems like even when a Group Policy deploy happens, the user would still have to know to click on our extension icon to give access to all websites.

Is this correct? And is this intentional behavior, or something that could be changed in an upcoming release? Or is there possibly some group policy setting that would allow us to get this behavior back with Manifest V3 site-wide deployments?

When an admin is setting up your browser, you’re at the mercy of what the admin has done, so I would hope they can opt in to those permissions automatically without requiring each user to do it themself.

Thanks for any help!

karl3i · June 25, 2024, 3:42pm

Any updates? Hoping we can get some guidance on this.

hans_squared · June 27, 2024, 1:28pm

Which Firefox version are you using?
Manifest V3 Updates (May 14, 2024):

Beginning with Firefox 127, users will be prompted to grant MV3 host permissions as part of the install flow (similar to MV2 extensions). We’re excited to deliver this work as based on feedback from Firefox users and extension developers, this has been a major hurdle for MV3 extensions in Firefox.

To me, this sounds like MV3 extensions installed via Group Policy should automatically receive the host permissions in manifest.json.

If not, maybe it works if you add the host permissions explicitly with the host_permissions manifest key. But adding them implicitly with the content_scripts manifest key should be enough.

Otherwise, please report the problem on https://bugzilla.mozilla.org/.
As far as I can tell, it hasn’t been reported yet.
All I could find with a cursory search was When an mv3 extension is force_installed via policy, users should not be able to change host permissions

Edward_Sullivan · June 27, 2024, 1:28pm

Posted this to some internal folks as well and they concurred with what @hans_squared posted. Thanks @hans_squared!

karl3i · June 25, 2024, 7:41pm

Thanks so much for the feedback! We will test it out with the newer versions and confirm all looks well soon. Very glad Firefox decided to change that and will not require users to click through to grant all permissions.

I’ll admit @hans_squared and @Edward_Sullivan that I am clueless how you figured out this would apply to Group Policy installs based on the text quoted and in that blog post though. It says:

users will be prompted to grant MV3 host permissions as part of the install flow (similar to MV2 extensions)

To me, that only sounds like individual users, and addresses nothing about group policy installs.

But since you talked to internal folks @Edward_Sullivan , I’m glad that they’ve confirmed it!

Could one of you clue me in on how you determined this would be related to Group Policy from the text in that blog post? Hopefully that will help me better read these blog posts in the future.

dotproto · June 26, 2024, 11:18pm

It wasn’t stated directly in the blog post.

Generally speaking, enterprise extensions follow the same rules as user-installed extensions, but with some special additional allowances for enterprise-specific behaviors. One such allowance is that install time permissions are granted by default; the user doesn’t see or approve the initial set of permissions requested by the extension.

I’m not 100% confident about this, but I strongly suspect that when the MV3 host permission restrictions were implemented the enterprise use case and it’s special grant handling was not considered, which resulted in MV3 extensions having an additional permission hurdle in enterprise environments. If not for the behavior change that went out in Firefox 127, I would have either opened a bug report or a feature enhancement request to address this behavior in enterprise extensions.

karl3i · June 27, 2024, 2:17am

Thanks for the clarification @dotproto ! We were suspecting it might be a bug, but we weren’t sure, and we really didn’t know where to post the bug / feature request.

Would we submit it here on this forum, or elsewhere?

Edward_Sullivan · June 27, 2024, 11:15am

Thanks @dotproto!

@karl3i, https://bugzilla.mozilla.org/home for bug reporting.