Any concern with exposing add-on UUID?

This is perhaps a stupid question, but is there any security/privacy concern with exposing an extension’s UUID in a GET?

I have landing pages for some of my add-on’s updates to explain new features. Rather than bundling them with the add-on, I have them hosted on my web server. But I’d like to have some kind of way to interact between the extension and the landing page.

There are two objectives that I’m thinking about in this situation:

A) I’d like to give my users the option to opt out of future feature notifications. Similarly to how an email has the “Unsubscribe” button at the bottom, I was interested in adding that on my landing page. Then, using the UUID I can have a button that links directly to a HTML page in the extension. That HTML page can have JavaScript that will adjust settings in the Storage API.

B) This is kind of similar to what I’ve already described. If I have a new feature, I’d like to be able to offer an opt-in or opt-out button that will enable/disable the new feature. Along the same lines, if I have the UUID, I can link directly to an HTML page in the extension that can change settings in the Storage API.

In both cases, a page could easily be opened by sending the user to moz-extension://{UUID}/path/to/file.html and the UUID could be obtained from the background script when the landing page is opened by the add-on and just appended to the URL as a parameter.

But is there any security/privacy concern doing this? I’m referring to the Internal UUID that Firefox randomly generates when the add-on is installed, not the ID that I’ve assigned to the add-on in the manifest.

There are alternate ways to achieve what I’m looking for (like bundling a content script that modifies the landing page or bundling the landing page in the add-on) but they require additional permissions or more code bundled into the add-on.

The method I described above just came into my head and it seems like it would work functionally.

Insert the link with a content script.

Either bundle the page with the extension or use a content script.

Regarding the privacy impact of the UUID, it is specific to the profile of the user, so yes, that’d be quite the leak. There’s a reason extension requests don’t send an origin.

1 Like