Yesterday I decided to give Manifest v3 extensions in Firefox a try to see how things work out. I wrote a very small extension that has a content script injected into example.com, and thus requiring
host_permissions for this domain. The functionality of this extension is not relevant here, imagine it just alerts “hi” when you visit that site.
Now, unlike in Manifest v2 where permissions are granted on extension install time, the Firefox implementation of MV3 requires users to explicitly grant specific domain permissions a second time, usually when they visit the domain in question, which in my case of course would be example.com.
Here is the problem. This is terribly communicated towards the user and would lead to a lot of confusion. Please look at this screenshot and tell me, is there anything here making it apparent or obvious that an extension requires permissions to work for this domain?
Now if you spotted it easily, I’m happy for you. But it took me almost 30 minutes to realize my extension wasn’t working. There is a small dot below the puzzle icon, which you have to click, and from there on the user can grant and control permissions. If it took me this long to realize this as a developer, then it’s safe to say this is not the most intuitive design for the average Joe user.
Furthermore, it’s actually even more confusing. As you see in the gif above, you allow the extension to “run for this visit only”. Once I do, my script triggers immediately and I get the “hi” alert to appear on my screen. However, if I choose to “always allow example.com” from the gear menu, the script will only trigger after a full page reload, making it even more confusing.
I am hoping this is just an early implementation of MV3 host permissions in Firefox rather than the final product. In my opinion the extensions need to have a more clear and obvious way to communicate to the user that their attention (permission) is required rather than just a tiny dot on the screen.