Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Block extension from specific hosts #701

Open
fregante opened this issue Sep 28, 2024 · 3 comments
Open

Block extension from specific hosts #701

fregante opened this issue Sep 28, 2024 · 3 comments
Labels
needs-triage: chrome Chrome needs to assess this issue for the first time needs-triage: firefox Firefox needs to assess this issue for the first time supportive: safari Supportive from Safari

Comments

@fregante
Copy link

fregante commented Sep 28, 2024

Problem

Extensions host permissions are not granular enough:

  • if the extension requests "all sites" access (via manifest or permissions.request()), there's no way to remove specific websites1
  • if the permission is declared in the manifest (via host_permissions or content_scripts.*.matches), there's no way to withdraw it2

Proposal: permission block list

Browsers already have the ability to disable some hosts, but this information is not clearly exposed to the extension author nor can it be expanded.

await browser.permissions.getAll();
// => {origins: ['https://*/*']}

await browser.permissions.blocked.getAll();
// => ['https://banking.example.com/*', 'https://password-manager.example.org/*']

The extension could then ask for removal: browser.permissions.blocked.remove(['https://banking.example.com/*'])

  • If the block was added via browser UI, the user will be prompted: "The extension requests access to banking.example.com"
  • If the block was added via browser.permissions.blocked.add, the action will proceed automatically.

This ability could also be used by the extension author to enable/disable its own content scripts and user scripts as necessary, for example to:

  • "Disable extension on this domain"
  • "Reload without extension"
  • "Disable extension for 15 minutes"

Related

This was proposed in some form in #653, but this proposal applies to permissions more generically. Adding a website to the block list would also disable the injection of its content scripts.

#700 also has some overlap in capability, but intent and possibilities are very different.

Footnotes

  1. Safari can do so via browser UI (screenshot), but not via API

  2. Safari and Chrome can do so via browser UI (screenshot), but not via API

@github-actions github-actions bot added needs-triage: chrome Chrome needs to assess this issue for the first time needs-triage: firefox Firefox needs to assess this issue for the first time needs-triage: safari Safari needs to assess this issue for the first time labels Sep 28, 2024
@carlosjeurissen
Copy link
Contributor

Related to the disallow_host_permissions proposal: #123. Which is a static equivalent of this proposal. What is the motivation to do it dynamically? Content scripts for example allow excludeMatches and excludeGlobs.

@fregante
Copy link
Author

Static configuration is for choices made by authors; APIs are for choices made by the user. I also gave some examples:

This ability could also be used by the extension author to enable/disable its own content scripts and user scripts as necessary, for example to:

  • "Disable extension on this domain"
  • "Reload without extension"
  • "Disable extension for 15 minutes"

@rustyzone
Copy link

Really like this idea had been drafting something similar a while back ( https://gist.github.com/rustyzone/16771562bb512d70354c5a9e7e3b88c0 )

Main difference here was not being extension specific particularly for cases like the banking example.

@xeenon xeenon added supportive: safari Supportive from Safari and removed needs-triage: safari Safari needs to assess this issue for the first time labels Oct 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
needs-triage: chrome Chrome needs to assess this issue for the first time needs-triage: firefox Firefox needs to assess this issue for the first time supportive: safari Supportive from Safari
Projects
None yet
Development

No branches or pull requests

4 participants