- Chair: Timothy Hatcher
- Scribes: Rob Wu
Time: 8 AM PST = https://everytimezone.com/?t=62b3ad00,3c0 Call-in details: WebExtensions CG, 23th June 2022 Zoom issues? Ping @zombie (Tomislav Jovanovic) in chat
Agenda: github issues
The meeting will start at 3 minutes after the hour.
- Carry-over from previous meetings
- Issue 217: Make WebExtension Javascript APIs available in WebWorkers spawned from a bundled document
- PR 186: Add mock for browser.secureStorage proposal
- PR 226: Update browser.secureStorage proposal with authentication levels
- Issue 227: Making host permissions optional by default appears to be harmful for extensions with global host permissions
- Other new issues
- Open discussion queue (add yourself at the bottom)
- None
- Check-in on ongoing issues
- Issue 162: DNR: disable individual static rules
- Rob Wu (Mozilla)
- Craig @ Keeper
- David Johnson (Apple)
- Timothy Hatcher (Apple)
- Steven McLintock (1Password)
- Alexei (Privacy Badger)
- Danny Colin (Multi-Account Containers)
- Rainer Enders (Keeper Security)
- Richard Worth (Capital One)
- Oliver Dunk (1Password)
- Benjamin Bruneau (1Password)
- Simeon Vincent (Google)
- Gaurang Tandon (Blaze Today)
- Brian Weinstein (Apple)
- Kiara Rose (Apple)
- Carlos Jeurissen (Jeurissen Apps)
- Felipe Erias (Igalia)
- Tyler Carson (Keeper)
- Jack Works (Sujitech)
- Giorgio Maone (NoScript)
- Mukul Purohit (Microsoft)
- Tim Heflin (Keeper)
Issue 217: Make WebExtension Javascript APIs available in WebWorkers spawned from a bundled document
- [bradley] We're in an ephemeral process and want to leverage workers more. E.g. we'd like access to messaging API (runtime.sendMessage) and in-memory storage (storage.memory).
- [timothy] Are these workers spawned from the background service worker?
- [bradley] No, from the foreground, an extension tab. We see this scenario becoming more common due to the constraints imposed by the switch to ephemeral service workers.
- [rob] Extension APIs are currently not exposed to workers. Work has started to expose extension APIs to background service workers, but that does not automatically imply that it's easy or desirable to expose extension APIs to dedicated workers.
- [simeon] When discussed with the Chrome team, they were open to the idea, but no concrete implementation plans. Concerns over waking other worker contexts in response to an event. E.g. a scoped service worker extension wouldn't be able to register in a tab.
- [bradley] In our case we'd expect the worker to be awake in the process.
- [simeon] Let me clarify: a worker would behave like extension page's behave today: when the extension tab is closed, the context is closed.
- [bradley] How would the APIs be exposed? Inherit from worker?
- [timothy] Any worker spawned by an extension would also have access to the APIs.
- [jack] Concern about security: if we are going to expose browser APIs to web workers, it should be an explicit opt in. e.g. A new option in the Worker constructor.
- [oliver] Should be a flag in the manifest.
- [simeon] In summary, it sounds like we're all tentatively in support, but no browsers have immediate plans to implement. As such, we'll continue discussing and attempting to align as we move forward.
PR 186: Add mock for browser.secureStorage proposal
- [simeon] I'll review and merge.
PR 226: Update browser.secureStorage proposal with authentication levels
- [oliver] Simeon posted feedback about being willing to merge, but I'd like to also see some feedback / review if possible.
- [simeon] I have looked at the PR last night, I'll follow up with a more meaningful response in the PR.
- [timothy] Was about to comment. I preferred the previous API format that was more generic. Currently the fields are very specific, e.g. would the “macos” keyword apply to iOS too?
Issue 227: Making host permissions optional by default appears to be harmful for extensions with global host permissions
- [alexei] We touched on this in the last two meetings already. I opened an issue, so we can discuss this offline. It would be good to learn more about the browser vendors' motivations for this. The current design may work on mobile where permissions/access can be controlled (you can use a weather app without giving it precise geolocation access), but I don't think that this applies to extensions. Password manager and privacy/security/ad blocking extensions require global host access for core functionality. The host permissions are not an optional component for such extensions. Users want to install an extension and expect it to work.
- [craig] When did this change? Is this going to ship?
- [timothy] In Safari this has already shipped.
- [simeon] In Firefox this will ship by default in MV3. In Chrome we wanted to ship in MV3, but haven't shipped yet because we weren't satisfied with the user experience. I would tentatively expect this to be released in the coming months.
- [craig] So we would have to prompt the user to grant additional permissions?
- [simeon] Potentially. But there is work being done. We are looking at declarative APIs, e.g. APIs to support password managers.
- [craig] One click or on every host?
- [simeon] Idea behind the badged action is for the user/browser to have the ability to ease the experience. E.g. if the user has granted twice in a week, prompt the user to grant permissions more persistently.
- [rainer] Are you performing user studies?
- [simeon] Yes. It may actually be useful to write an open letter or something in order for browser vendors to consider this kind of feedback in more detail than some anecdotal experiences mentioned in passing.
- [giorgio] I have not heard a clear story for a way to perform whitelisting where it doesn't act. Where the user wants to temporarily disable the extension.
- [rob] The user can choose to allow the extension to access all sites.
- [simeon] An extension can always declare host permissions with access to all URLs. The extension will however not be granted all access by default. It can request specific access, or the user can grant access.
- [giorgio] So NoScript would have to nag the user on every page?
- [rob] For NoScript it would make more sense to introduce an onboarding flow where the user opts in to granting access to all URLs by default.
Issue 229: Extension Icon Design for Light/Dark/Custom Theme on Browser Toolbar
- [timothy] The issue has a design doc with an API proposal to support dark themes.
- [simeon] If I recall correctly, there has been a proposal for a runtime API, the proposal only covers a static API.
- [timothy] For the most part, the design looks good to me.
- [rob] Is there any difference between this API and media queries?
- [simeon] This is similar to media query APIs. Both media queries and this draft design defer to the browser to select the appropriate image.
- [timothy] Extensions can implement this today with media queries. This is about getting JS out of the picture and letting the browser automatically pick the right variant.
- [carlos] There are situations where the OS is using light mode, but where the toolbar has a darker color. Just relying on dark/light theme detection or media queries wouldn't cover this, as it could result in a bad contrast.
- [timothy] Agreed. There are a lot of situations where we need to be creative and take what's available in order to display an appropriate icon.
- [carlos] Firefox has a theme_icons property to allow extensions to declare dark/light icons.
Issue 230: Inconsistency: browser.runtime.OnInstalledReason
- [rob] What does Safari do here?
- [timothy] I don't know if we even support this.
- [simeon] Our hesitation with changing chrome_update to browser_update is that Chrome extensions are currently expecting the current strings. Any such change should be in a new manifest version.
- [timothy] I just checked; we don't support this in Safari at the moment. We generally support both the Chrome and browser APIs where possible.
- [rob] In this case it's not possible, because the onInstalled event is fired with this specific value.
- [timothy] I think that we would prefer the browser_update value here.
Issue 231: Extension API to find the public suffix (eTLD) of a given URL/domain
- [timothy] This is a feature request to expose the public suffix list to extensions.
- [rob] Would we want this API, and if so, what should the API look like? E.g. namespace, whether it takes a URL or domain.
- [oliver] Would love to see this.
- [timothy] In favor of this. Can take a domain or URL.
- [simeon] On Chrome's side we are hesitant. A number of PSL maintainers at Chrome have concerns. Extension-specific concern is that this capability can be served in JS code itself, and that it is not necessary to have this exposed by the browser.
- [rob] If the goal is to have a consistent interpretation of the public suffix, then there's no other way for the extension to have the same behavior as the browser.
- [giorgio] I wanted to raise exactly the same point. In the pre-WebExtension extension APIs, NoScript used Firefox's internal APIs, but now it has to update PSL in the extension, and there are still inconsistency issues with potential security impact.
- [timothy] Agreed.
- [alexei] Agreed, Privacy Badger would benefit from this functionality.
Issue 232: WECG at TPAC 2022
- [timothy] Coming up soon in september.
- [simeon] Last night I started to read the TPAC documentation and gather notes. I'll update the issue with an overview of TPAC and a recommendation for our participation on this issue within the next few hours
- [rob] Do you intend to attend TPAC?
- [simeon] Tentatively, yes. Still watching the global health situation.
- [rob] At Mozilla's side we're also considering attending, with multiple members of the extensions engineering team.
- [timothy] Likewise for Safari.
- [mukul] (Microsoft) I am also considering.
Issue 233: [housekeeping] Reorganise github labels
- [carlos] Last meeting we talked about this. I filed an issue to start a discussion on cleaning up labels.
- [timothy] I like some of your suggestions.
Issue 162: DNR: disable individual static rules
- [felipe] I have continued to work on the implementation, wrote an extension with benchmarks. I posted an update with the benchmark results in the issue. Talked with extension developers and asked about update frequency. It's ranging from once an hour to once a day. So if we want to introduce rate limits, this order of magnitude can be a starting point.
- [simeon] I saw the “Chrome: follow-up” label yesterday, which is too short notice before this meeting, but I'll follow up with the Chrome team and get back.
The next meeting will be on Thursday, July 7th, 8 AM PST (3 PM UTC).