Porting Chrome add-on -> Firefox: page permissions not granted by default?

Background information: I am trying to port my a recently created Chrome Extension to Firefox. I am using manifest v3 for the Firefox version of my extension. I have had to make minimal changes to the Chrome manifest.json to get the extension to load in Firefox: .background.service_worker => .background.scripts, added .browser_specific_settings.gecko.id and .browser_specific_settings.gecko.strict_min_version, .options_page => .options_ui.page, add .options_ui.open_in_tab set to true. With these changes, I am able to load the extension XPI into Firefox Developer Edition with signature verification disabled.

However, when the extension is loaded, permission for content scripts on the web site it operates on is not granted by default. The user has to either click on the gear icon for the extension when on the relevant site and enable permissions, or go to the manage page for the extension and enable the permissions there.

This is different from Chrome, where the permissions are granted automatically when the user installs the extension.

Is this the behavior that end users of my extension on Firefox will see, or is this only occurring because I’m loading an unsigned extension so Firefox is being extra paranoid about it? Or is there something different I need to do in manifest.json on Firefox for permissions to be granted automatically?

I know that other extensions, e.g., Bitwarden, that I’ve installed from addons.mozilla.org do not have this problem; they don’t seem to need to be explicitly granted permission to run content scripts on a site. But I don’t know whether this is because they’re signed, or because they’re using manifest v2, or because there’s something different they’ve done in their manifest.json, etc.

My extension only operates on one web site and the user is pretty clearly granting permission for it to operate by installing the extension because it says quite clearly what site it is going to operate on, so it’s redundant and not user-friendly for them to have to then take additional steps to grant the permission so the extension will work. I’m hoping there’s a way to make that unnecessary that I just haven’t been able to identify yet.

It’s because you are using a MV3 extension. MV2 get all their non-optional permissions by default.

From my understanding Chrome was planning to have the same behavior for MV3, but they either also abandoned that plan or haven’t gotten around to it.

Thanks. Any idea whether I should expect for Firefox’s behavior to eventually revert to Chrome’s, or for Chrome’s to eventually mirror Firefox’s, or for them to continue to behave differently for the foreseeable future?

I can’t speak for Chrome’s plans.

We’re developing an improved install flow for mv3 extensions, and if your extension only requests a few specific domains (so not <all_urls>) we’ll make it easier for users to grant that during install (likely checked by default).

Note that we don’t plan to revert any behavior in Firefox, so users could still decide not to grant those permissions (or may revoke them later), so your extension should still account for that, check and ask for any permissions it “needs” to function using the optional permissions api.

Hope that helps.

Is there somewhere where the status and direction of this development can be followed? I did not succeed searching bugzilla for this?
… And is it expected to be ready for the next Firefox ESR (version 115)?

The main issue with having host permission optional by default is that the permission API is not supported everywhere in Firefox.

For example, you can’t request for permission from the devtools (https://bugzilla.mozilla.org/show_bug.cgi?id=1796933)

From my understanding Chrome was planning to have the same behavior for MV3, but they either also abandoned that plan or haven’t gotten around to it.

Chrome is taking a different approach to restricting host permissions; their plan is to implement a host permission limits across both Manifest V2 and V3. This plan was outlined in their Chrome Dev Summit 2020 talk. This is most recent thread I recall seeing about Chrome’s default host permission grants Default host permission grants during installation.

The main issue with having host permission optional by default is that the permission API is not supported everywhere in Firefox.

I believe you should be able to post a message from the DevTools panel to the extension’s background context and perform the permission request from there.

Simeon (dotproto)
Firefox WebExtensions DevRel

1 Like