If I were a user, this kind of permission would make me think twice about using an extension, especially if it means that the extension has access to my credentials for any website, including banking websites!
I’m wondering if this permission (in the case of an extension for mv3) is determined by the “host_permissions”, because an extension could just as well use a listener for keyup, keydown or keypress events to capture a user’s credentials (I guess) and in the same time restrict the host permissions to known payment websites to avoid the “Access your data for all websites”.
I think that it’s becoming more and more important for Mozilla to screen extensions for security to build trust. I’d strongly encourage Mozilla to introduce at least 2 levels of security rating:
A → the extension has been thoroughly reviewed by Mozilla staff and meets a high level of security
C → the extension has been tested by AI for security and offers a satisfactory level of security
Alternatively, Mozilla could introduce a"Security report" button for each extenssion on AMO generated by AI and detailing what an extension can do and potential security loopholes.
As @juraj.masiar noted in a reply on another thread, the “Access your data for all websites” message is displayed as a result of requesting "<all_urls>" or other broad host permission patterns (e.g. *://*/*). Similarly, Chrome uses the string “Read and change all your data on all websites”. Safari uses a slightly different model for host permissions, where the default flow has users give out timed grants to specific hosts, but in that flow they use a message that conveys the same basic idea.
The main alternative is to use the activeTab permission to grant access in response to a user invocation such as clicking the browser action, selecting a context menu entry, or triggering a keyboard shortcut. The main disadvantage of using activeTab is that your extension can’t passively take action on behalf of the user – the user has to consciously trigger the extension when they want it to do something.
activeTab can also be combined with declaring <all_urls> as an optional host permission in the extension’s manifest. This makes it possible for an extension to detect that the user has invoked the extension multiple times on the same website and to ask the user if they would like to give the extension access to that site via permissions.request.
Thanks for your suggestions on improvements to the AMO experience. I’ll pass this along to the team for consideration.
Hi Simeon, thank you for your answers. I must admit I really like the way Safari handles things! It might be missing just the option to “Allow One Time”.
Unfortunately, combining activeTab with <all_urls> as an optional host permission won’t get rid of the “Access your data for all websites” permission. I think that the “…for all websites” isn’t the most worrying part, but rather “…your data…” as it doesn’t say much about the kind of data concerned (a user’s search engines isn’t as critical as a user’s credentials).
In host permissions, it would be interesting to exclude any website that deals with financial transactions, but I guess that would require a standard to make them easily identifiable.
Alternatively, if there was a way of identifying if a user is logged in a website or not, a conditional permission could allow access to a website if a user is logged in. This way a user would be able to safely input his or her credentials, during which time the extension wouldn’t have access. Then, once logged in, the extension would have access.
Even if you move “<all_urls>” to an optional permission, ‘Access your data for all websites’ will still be requested on extension installation because you have ‘http…’ and “https…” under “content_scripts”. Since you have an MV3 extension, all host permissions can be deactivated by a user in the about:addons page in an extensions ‘Permissions’ section. A user can then grant permissions to individual sites through the extensions toolbar button. The permissions may be temporary or permanent.
