[WebExtensions] Anti-phishing for add-on pages

(Desktopd Mozilla Product Lead) #1

Continuing the discussion from [WebExtensions] Future of innovative add-ons:


How to make clear that a certain page belongs to a locally-installed add-on the user trusts? This should be implemented because add-ons often handle security-sensitive things and phishing is terrible. Previously we could tell the users the right URIs of the add-on UIs since they are static resource: or chrome: addresses. But with WebExtensions all the addresses are randomized, so this is not good for user experience. (Recognizing moz-extension: part is not enough: you cannot tell the add-on’s name from it)

Resources in WebExtensions should indicate their identities.

This of course should be distinguishable from HTTPS pages or Firefox pages.

(Noitidart) #2

You got some awesome thoughts. But it looks like you’re discussing with you and yourself. :stuck_out_tongue: haha. Not a bad thing, its a fun read!

(Jorge) #3

Please file a bug here. That sounds like a good suggestion.

(Desktopd Mozilla Product Lead) #4

Thank you.