w3c / webextensions

Charter and administrivia for the WebExtensions Community Group (WECG)
Other
599 stars 56 forks source link

Block extension from specific hosts #701

Open fregante opened 1 month ago

fregante commented 1 month ago

Problem

Extensions host permissions are not granular enough:

Proposal: permission block list

Browsers already have the ability to disable some hosts, but this information is not clearly exposed to the extension author nor can it be expanded.

await browser.permissions.getAll();
// => {origins: ['https://*/*']}

await browser.permissions.blocked.getAll();
// => ['https://banking.example.com/*', 'https://password-manager.example.org/*']

The extension could then ask for removal: browser.permissions.blocked.remove(['https://banking.example.com/*'])

This ability could also be used by the extension author to enable/disable its own content scripts and user scripts as necessary, for example to:

Related

This was proposed in some form in https://github.com/w3c/webextensions/issues/653, but this proposal applies to permissions more generically. Adding a website to the block list would also disable the injection of its content scripts.

https://github.com/w3c/webextensions/issues/700 also has some overlap in capability, but intent and possibilities are very different.

[^1]: Safari can do so via browser UI (screenshot), but not via API [^2]: Safari and Chrome can do so via browser UI (screenshot), but not via API

carlosjeurissen commented 1 month ago

Related to the disallow_host_permissions proposal: https://github.com/w3c/webextensions/issues/123. Which is a static equivalent of this proposal. What is the motivation to do it dynamically? Content scripts for example allow excludeMatches and excludeGlobs.

fregante commented 1 month ago

Static configuration is for choices made by authors; APIs are for choices made by the user. I also gave some examples:

This ability could also be used by the extension author to enable/disable its own content scripts and user scripts as necessary, for example to:

  • "Disable extension on this domain"
  • "Reload without extension"
  • "Disable extension for 15 minutes"
rustyzone commented 1 month ago

Really like this idea had been drafting something similar a while back ( https://gist.github.com/rustyzone/16771562bb512d70354c5a9e7e3b88c0 )

Main difference here was not being extension specific particularly for cases like the banking example.