Open fregante opened 1 month ago
Related to the disallow_host_permissions
proposal: https://github.com/w3c/webextensions/issues/123. Which is a static equivalent of this proposal. What is the motivation to do it dynamically? Content scripts for example allow excludeMatches and excludeGlobs.
Static configuration is for choices made by authors; APIs are for choices made by the user. I also gave some examples:
This ability could also be used by the extension author to enable/disable its own content scripts and user scripts as necessary, for example to:
- "Disable extension on this domain"
- "Reload without extension"
- "Disable extension for 15 minutes"
Really like this idea had been drafting something similar a while back ( https://gist.github.com/rustyzone/16771562bb512d70354c5a9e7e3b88c0 )
Main difference here was not being extension specific particularly for cases like the banking example.
Problem
Extensions host permissions are not granular enough:
permissions.request()
), there's no way to remove specific websites[^1]host_permissions
orcontent_scripts.*.matches
), there's no way to withdraw it[^2]Proposal: permission block list
Browsers already have the ability to disable some hosts, but this information is not clearly exposed to the extension author nor can it be expanded.
The extension could then ask for removal:
browser.permissions.blocked.remove(['https://banking.example.com/*'])
browser.permissions.blocked.add
, the action will proceed automatically.This ability could also be used by the extension author to enable/disable its own content scripts and user scripts as necessary, for example to:
Related
This was proposed in some form in https://github.com/w3c/webextensions/issues/653, but this proposal applies to permissions more generically. Adding a website to the block list would also disable the injection of its content scripts.
https://github.com/w3c/webextensions/issues/700 also has some overlap in capability, but intent and possibilities are very different.
[^1]: Safari can do so via browser UI (screenshot), but not via API [^2]: Safari and Chrome can do so via browser UI (screenshot), but not via API