Perhaps I am still misunderstanding, for, although there isn’t currently a way in Firefox extensions to post a message with a target ID, I don’t see why the same level of security cannot be achieved as when using externally_connectable.
Why do you have to connect externally rather than following the Firefox extension communication methods?
In the extension manifest, the URL match pattern limits which web pages the extension will act upon, and that can be your web pages only. The extension injects a content script into your web page only which establishes a communication port with the background script of your extension. Thus, communication is limited between the two rather than posting a message from a web page directly to an extension that may be listening. The web page communicates with the content script which communicates with the background script, but, of course, the content script can listen for events also in the web page and there are ways to share objects between the web-page scripts and content scripts.
I’m far, far from an expert, but my understanding is that using
browser.runtime.connect() can limit communication between the web page and the extension through the content script, such that there cannot be any undesired communication with other extensions because the message is not being posted for any listener to hear.
In that bug discussion link, one poster wrote that " Chrome’s implementation won’t allow to send messages to extensions from content scripts, so if implemented the same way, this shouldn’t be an issue. I don’t know if that is true or not but it is not the way it works in Firefox extensions, because the content script is the means of communication.
Instead of the extension listening for a message from any web page that passes the correct ID in a post message, the extension would first listen to which web pages are loaded and, when the specific URL match pattern is met, will inject the content script into that page to establish communication between the two. After that communication is established, either side can initiate communication.
In my limited understanding, the answer to
How do I create a way for a website to know that a particular extension ID is installed, and that it is not an extension clone with a different ID?
is that you cannot do exactly that, but you can create an extension that knows which web pages are loaded in the browser and choose with which ones it should communicate. That seems to be the same result.
If that doesn’t get to the fundamentals of your question, then as said by jscher2000, it’s over my head and I apologize for having wasted your time.
Also, where you ask
Are you saying that a clone of my extension would be able to intercept the message even if it has a different ID?
I’m not certain but I’m pretty sure that is what is being said in that bug report link as recent as four or six months ago.