Look up all domain access requests of Firefox extensions before installation
The Firefox web browser displays extra permissions that an extension requests during installation and won't proceed with the installation until you activate the add button.
Extra permissions may request access to specific domains or all sites on the Internet, to display notifications, or to access the browser tabs.
You may notice sometimes that Firefox lists only some of the domains an extension requests access. Firefox displays a number, e.g. 13 other domains, in that case.
The prompt offers no option to display the entire list of domains an extension requests access to. You see such a prompt on the screenshot below.
The page of the extension on the Mozilla website lists the very same permissions so that it is not possible to verify all domains an extension requests access to using it or the installation prompt.
While it is certainly better if extensions requests access to as few domains as possible to provide its functionality, it is a usability issue that you cannot look the information up prior to the installation.
Here is a quick guide on how to display all domains without installing the extension.
- Go to the page of the extension on the Mozilla website or third-party website.
- Right-click on "add to Firefox" button and select the "Save link as" option.
- Save the extension file to the local system.
- Open the folder on the local device the extension was saved to.
- If you have Bandizip or comparable software installed, right click on the file and select one of the available extraction options.
- If you don't use a dedicated software for that, rename the file extension from xpi to zip.
- Extract the Zip archive using Explorer.
- Open the folder of the extracted archive.
- Open manifest.json in a plain text editor, e.g. Notepad.
- Check permissions; it lists all domains the extension requests access to and all other permissions the extension requests during installation.
Extension Source Viewer
Now with the help of the Firefox add-on Extension Source Viewer. We reviewed the extension back in 2016, check out the review for additional details. Chrome users can install this extension to verify Chrome extensions. You may also want to check out our precautions to take before installing Chrome extensions guide.
- Install Extension Source Viewer in Firefox.
- Right-click on the extension page and select "View extension source".
- Select the manifest.json file to inspect it.
- Check the listed domain permissions.
Tip: You may use a web version of Extension Source Viewer if you prefer not to install an extension to check other extensions.
Closing Words
Mozilla should consider adding an option to the extension page on the Firefox website and the installation prompt to list all domains an extension requests access to. (via Reddit)
Firefox is doing everything it can to make it harder and harder to use its browser safely with respect to privacy. That’s why extensions can’t block network requests by other extensions anymore. Privacy is totally dead and the horse keeps being picked apart, bit by bit.
@ Steve
No. webextensions are on the same API, so what webext A is doing is not a job for uBlock or uM.
I can’t get Extension Source Viewer to do anything, but the first method works for me.
I didn’t realise until now that (some) extensions for Firefox would access undeclared domains!
Thanks, Martin!
For installed extensions, I just use the extension “Project Insight” which shows all the extensions you have and what permissions they have.
For installed extensions you don’t need an extension, just go to about:debugging and open each manifest URL link in a new tab
The ‘via Reddit’ link goes to one of your articles.
Worthy recall of extensions’ permissions and what they imply. Personally I tend to omit focusing on those permissions.
I may be getting the ‘Extension Source Viewer” Firefox extension because web version mentioned in the article (CRX Viewer) doesn’t seem to work here…
And to find the permissions of installed extensions there is of course Firefox’s about:debugging with all the installed extensions’ ID and UUID with a direct link to their Manifest URL
Out of curiosity, does uBlock / uMatrix allow you to block sites that the extension is asking for?
Not with Web Extensions, as extension code is privileged. In legacy XUL it could.
This is wrong.
You can block extension web requests if you remove uBlock’s “behind-the-scene” scheme in the whitelist.
@Ray, I don’t think so : “[…]uBO no longer can see network requests from other extensions”
https://github.com/gorhill/uBlock/wiki/Behind-the-scene-network-requests
Firefox is doing everything it can to make it harder and harder to use its browser safely with respect to privacy.
@Emily – that’s a two edged sword. Would you like a rogue or hijacked extension messing with your other extensions? Either way, there are pros and cons.
Very useful, thanks a lot !