Which manifest changes will trigger security pop-up on add-on update?

(Juraj Masiar) #1


Is there a list of manifest keys that triggers the security pop-up for users when changed?
I know changing “permissions” will do that, but adding or changing “optional_permissions” not, right?

Right now I need to add “web_accessible_resources” key and I want to be sure this will not cause any issues.

1 Like
(Trishul Goel) #2
  1. Adding web_accessible_resources will not trigger any permission prompt.
  2. For Optional permissions, permission prompt will be triggered only when permission.request() is called in your code. Also you will be able to use API mentioned in optional permissions only when you request permission.
  3. Apart from host permissions (URLs you want to access or <all_urls>) you can get list of available permissions at https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#API_permissions
1 Like
(Martin Giger) #3

To expand on this a bit, the possible permission request messages are listed on this page: https://support.mozilla.org/en-US/kb/permission-request-messages-firefox-extensions

1 Like
(Juraj Masiar) #4

Thank you guys .
I would just add few more cases:

  1. overriding new tab page will trigger “Your New Tab has changed” message
  2. overriding homepage will trigger “Your homepage has changed” message
  3. apart from requesting “tabHide” permission, the actual usage of this API (hiding a tab) will trigger another message: “Access your hidden tabs”

All of these messages has a button to disable add-on!

And a bonus one: using " chrome_settings_overrides" to add a “search_provider” with option “is_default” will ask user whether he wants to change the the default search engine - there are only Yes / No buttons.

(Juraj Masiar) #5

I’ve just found a list of permissions that should not raise alert:

The following permissions don’t get alerted to users:

API permissions

But I’m not sure this applies for the update as well. Can anybody confirm that?

There is an article about testing this yourself but it’s quite complex process :frowning:

I would like to use contextualIdentities in the near future which is still not available as optional: