Firefox to list all host permissions on about:addons
Upcoming versions of Mozilla's Firefox web browser will list all host permissions on about:addons, the internal management page of the browser.
Firefox, just like most desktop web browsers, supports browser extensions. Extension developers need to specify special permissions for their extensions, e.g. access to a particular site, if they make use of that functionality.
Firefox displays these permissions on the Mozilla Add-ons website and when users start the installation process. Firefox users need to accept the permission request to install the add-on in the browser.
Add-ons may be managed on the browser's about:addons website. All it takes is to load the URL, or select Menu > Add-ons, to open the management interface. Firefox lists all installed add-ons and their state, as well as themes and other information.
Permissions of each add-on may be listed when the add-on is selected on the management page. Up until now, host permissions were limited as Firefox did not list them all but only some. The remaining would be listed as "access your data on X other sites" on the Permissions page.
While Firefox users had the option to visit the add-on's page on the Mozilla website to look up all hosts permissions, it was clear that something had to be done about it on about:addons so that users would see all permissions right away. Hosts permissions refer to sites that the extension has access to (opposed to the universal "access your data for all websites" permission.
The following two screenshots visualize the difference. The first screenshot shows how Firefox displays hosts permissions currently, the second how hosts permissions are displayed in the future.
The change is a smaller one considering that there are only a few extensions that request more than a few hosts permissions. The vast majority of Firefox add-ons that request site permissions appear to request access to all sites even if they are designed to run only on a specific site; this is not a Firefox-specific problem though as the same is done by Chrome extension developers.
Now You: Do you check permissions and/or something else before you install extensions?
One of those planned features I’d be dumb to disagree with : more you know about an extension better it is. What do I check before installing a new extension?
Permissions : I plead guilty of too often if not always not checking these.
What I do check is if the extension is new, number of users, their comments (when available, too many users just score the extension and if so I totally disregard the rating). Also, quite often I’ll download the extension, un-zip it and search for remote connections I’d find in the code.
To make it short : I more or less investigate when the extension is brand new, no or few users, and no other extension from the developer being mentioned.
I’ll admit that I often “smell” (“au pif” as we say in French) the extension which means I rely on an the irrationality of intuitions, even if I’m aware of what misleading intuitions can be, though less consequent than if i were a cop :=)
Really nice new function extension of this add-on function a significant one even, I dear to wright.
Is there that you know of Martin (Or anybody else) any possibility available or will there be a possibility available to block specific host permissions who I think are not wanted by me and keep at the same time, the concerning add-on alive and working properly?
If I’m understanding correctly, that can be done in AdGuard with user filters. uBlock O and Matrix should be able to also.
Or brute force with hosts file or experiment with the about:config extensions switches.
I haven’t seen any side effects so far but I only use a few add ons and AdGuard is the system level version.
Some of those permissions seem to be general, e.g., some video downloaders claim to access data for all sites visited but don’t do anything until you play a video somewhere, then they pick up everything needed for your download which can be from a number of sites.
Maybe this new feature will give more insight.
Thank UlBoom, That would be nice. I am waiting or this will happen.
The brute force method is not really where I am waiting for. Nice to read that your first contacts are not given any side effects, thats prommising.
“The vast majority of Firefox add-ons appear to request access to all sites even if they are designed to run only on a specific site” But..I wonder why many devs did this though for both FF and Chrome, as mentioned in the article. Laziness or other limitations? (sorry, not an extension dev)
Still, good to see more details added in.
“The vast majority of Firefox add-ons appear to request access to all sites even if they are designed to run only on a specific site; this is not a Firefox-specific problem though as the same is done by Chrome extension developers.”
Martin, what documentation do you have to support this claim?
I took a look at 50 random Firefox extensions. Of them, 29 didn’t need web access at all. 9 of them only allowed access to very specific sites for obvious functionality, 7 needed access to all sites for functionality on every site, and 5 requested access to all sites but likely could restrict access to just a few sites.
That’s very different than a “vast majority”.
I didn’t go through all (or even the majority) of the 18,731 currently available extensions, but maybe you did. Did you?
Regardless, even if it’s not a “vast majority” as claimed, I still found 10%, which is 10% too many. Fortunately, it’s a trivial one line fix in the extension’s manifest to change from accessing all sites to just accessing one domain or host.
I encourage people to contact the developers of their favorite extensions if an extension is requesting unneeded permissions. Note that it is better to ask than to accuse, as the average user often is unaware of why certain permissions are needed.
Mozilla is doing a good job by making these permissions even more clear within Firefox.
Sorry, I meant the vast majority of add-ons that request permission to access sites.
What year is this??? https://i.imgur.com/FgxAFZU.png
Not only it shows all domains, but you also get to choose whethrer you allow access to all, some or none.
This also shows what a half-arsed job moz://a has done implementing WE support in fx after ditching XUL extension support. Lazy organization, greedy and overall not very intelligent – either this or malice, or maybe a combination of both.
@ ULBoom: How, specifically, would one use uBlock Origin to block some of a Firefox extension’s permissions while allowing others? Which part of the uBO interface is that in? Can you give an example?
@ Kincaid: Where is an extension’s “manifest” located? Can you give an example of a “trivial one line fix in the extensionâ€™s manifest to change from accessing all sites to just accessing one domain or host”?
I think it would be nice if the Firefox interface itself allowed us to allow or deny specific portions of the extension’s permission requests, and also nice if the notes by the extension’s developers would explain the specific reasons for each request.
I install far fewer extensions than I used to, mostly because of these issues. Years ago, I once went through the code of a FF extension by a Russian developer that I had installed. I discovered a few URLs or IP addresses located in Russia inside the code that had no logical reason to be there at all. I uninstalled it.
I check the history behind the devs, so I can trust the ones behind decentraleyes, noscript, ublock origin because they are fine for me.