Requesting permissions conveniently & Modifying iframes without blanket permissions

In general, Firefox dev pages seem to advocate good security practices, but heavy-handed restrictions make it difficult to perform some actions without going against such practices.

I was wondering if there was an elegant way to ask for permission to access domains whose iframes are in the current webpage. I need to modify DOM elements in (potentially cross-origin) iframes of pages for which the add-on has permission. I would like to do so without the <all_urls> and all_frames permissions.

Edit: I can read the ‘src’ attribute of the iframe, but I cannot request permissions for that url without a pre-defined user action.

1. What is best practice then? Some obnoxious popup informing the user to simply click the Browser Action?

2. One step further: If I want the user to be able to modify the url (with wildcards and such) before requesting permission, how do I ask for permission elegantly? The doc says I can use “a button in a page bundled with the extension”, but this does not seem to be the case for the Browser Action popup.

Thanks,
Ben

I wonder if activeTab would give you enough power for your use case?

As far as I can tell, activeTab permissions do not extend to iframes in the page. Additionally, the add-on I am creating is passive; I do not want the user to perform some designated “user action” to inject my content script.

I have edited my post and hopefully narrowed down my issue.

I greatly appreciate your reply,
Ben

Hi Ben, one possibility would be to detect the hosts and ask the user if they want to grant permission. The hangup is that permission.request() doesn’t work when called from a popup (i.e., hanging off your toolbar button) or sidebar in Firefox. I think you need to show the Options page or maybe something in a new window. I haven’t had time to experiment.

• https://extensionworkshop.com/documentation/develop/request-the-right-permissions/#request-permissions-at-runtime

• https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/permissions/request (compatibility note)

Yes, the fact permission.request() is linked to a user action is the hangup. For the foreseeable future, I will use a window-based popup approach in which I create a new, minimal window with a “user action” button. The result is ugly, but at least it does not divert the user from his current browsing page.