Please improve the way host permissions are requested and granted in Manifest v3 (puzzle icon)

Yesterday I decided to give Manifest v3 extensions in Firefox a try to see how things work out. I wrote a very small extension that has a content script injected into, and thus requiring host_permissions for this domain. The functionality of this extension is not relevant here, imagine it just alerts “hi” when you visit that site.

Now, unlike in Manifest v2 where permissions are granted on extension install time, the Firefox implementation of MV3 requires users to explicitly grant specific domain permissions a second time, usually when they visit the domain in question, which in my case of course would be

Here is the problem. This is terribly communicated towards the user and would lead to a lot of confusion. Please look at this screenshot and tell me, is there anything here making it apparent or obvious that an extension requires permissions to work for this domain?

Now if you spotted it easily, I’m happy for you. But it took me almost 30 minutes to realize my extension wasn’t working. There is a small dot below the puzzle icon, which you have to click, and from there on the user can grant and control permissions. If it took me this long to realize this as a developer, then it’s safe to say this is not the most intuitive design for the average Joe user.

Furthermore, it’s actually even more confusing. As you see in the gif above, you allow the extension to “run for this visit only”. Once I do, my script triggers immediately and I get the “hi” alert to appear on my screen. However, if I choose to “always allow” from the gear menu, the script will only trigger after a full page reload, making it even more confusing.

I am hoping this is just an early implementation of MV3 host permissions in Firefox rather than the final product. In my opinion the extensions need to have a more clear and obvious way to communicate to the user that their attention (permission) is required rather than just a tiny dot on the screen.


Ok, since making this post I actually discovered that this whole process needs to be repeated for CNAME records, and probably subdomains too. In other words, if user grants permissions for, they would need to repeat the exact same process for

Additionally, the extension permissions configuration page is quite confusing to say the least.