Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inconsistency: Host permissions in Manifest V3 #288

Open
muzuiget opened this issue Oct 12, 2022 · 1 comment
Open

Inconsistency: Host permissions in Manifest V3 #288

muzuiget opened this issue Oct 12, 2022 · 1 comment

Comments

@muzuiget
Copy link

I wrote some testing code about host permissions for current Chrome and Edge stable version:

  • Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
  • Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Edg/106.0.1370.42

I found some inconsistency, it may also mislead users to know the actual host permissions are required/granted by the extension.

1. Defined in content_scripts

This imply required host permissions:

{
    "manifest_version": 3,
    "name": "mv3",
    "version": "0.1.0",
    "content_scripts": [
        {
            "matches": [
                "https://www.youtube.com/*"
            ],
            "js": [
                "youtube.js"
            ]
        }
    ]
}

Chrome:

Screenshot_20221012_165100

Edge:

Screenshot_20221012_165108

Edge's "on all sites" makes it seem like extensions require any host permissions.

2. Defined in host_permissions

Runing chrome.scripting.registerContentScripts() in backgroud.js

{
    "manifest_version": 3,
    "name": "mv3",
    "version": "0.1.0",
    "permissions": [
        "scripting"
    ],
    "host_permissions": [
        "https://www.youtube.com/"
    ],
    "background": {
        "service_worker": "background.js",
        "type": "module"
    }
}

Chrome:

Screenshot_20221012_165259

Edge:

Screenshot_20221012_165330

The same as "Defined in content_scripts"

Defined in optional_host_permissions

After first-install, use chrome.permissions.request() to grant the permission.

{
    "manifest_version": 3,
    "name": "mv3",
    "version": "0.1.0",
    "permissions": [
        "scripting"
    ],
    "optional_host_permissions": [
        "https://www.youtube.com/"
    ],
    "options_page": "options.html",
    "background": {
        "service_worker": "background.js",
        "type": "module"
    }
}

Chrome on first-install:

Screenshot_20221012_165541

Chrome after grant:

Screenshot_20221012_165654

Edge on first-install:

Screenshot_20221012_165602

Edge after grant:

Screenshot_20221012_165740

  • Chrome doesn't listing the host items on first-install.
  • Edge doesn't tell users the extension really granted host.

Even Edge is chromium-base browser, it has difference behavior than Chrome.

Currently I prefer Safari behavior:

  • treat all host permissions are user optional.
  • listing all host items in the extension manage page to let users one-click to allow/disallow.

So for users, host_permissions just the same as optional_host_permissions, they are optional at runtime.

But developers still can use host_permissions to add some extra behaviors:

  • The hosts are force to be granted on first-install from Chrome Store, this make the extension works out-of-box.
  • Show a required-icon on the listing host items, to warn users: "if you disallow it, you maybe break the extension".
@mukul-p
Copy link
Collaborator

mukul-p commented Oct 13, 2022

Feel free to fire Browser specific issue (or cross reference from here).
This is for Microsoft Edge - https://github.com/microsoft/MicrosoftEdge-Extensions/

@Rob--W Rob--W mentioned this issue Oct 13, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@muzuiget @mukul-p