Skip to content

/ brave-browser

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create a new WebExtension API/permission: Provide API to sites #643

Open
danfinlay opened this issue Jul 25, 2018 · 4 comments
Open

Create a new WebExtension API/permission: Provide API to sites #643

danfinlay opened this issue Jul 25, 2018 · 4 comments

Comments

@danfinlay
Copy link

@danfinlay danfinlay commented Jul 25, 2018
edited

At MetaMask, we use the WebExtension "read and write data on all sites you visit" permission for the unusual purpose of providing an additional API to sites a user visits.

A downside of this is that security-conscious users are nervous about approving such all-encompassing permissions, and in fact if our distribution system were compromised, the potential impacts could be large.

Long term, we probably need to be simply integrated into browsers. But medium term, we would greatly benefit from a new WebExtension API & accompanying permission that explicitly only provides an API to sites.

Such a permission would not:

  • Allow us to freely read from websites a user visits
  • Run keystroke logging on sites a user visits
  • Manipulate how a page otherwise loads for a user.

This permission would only:

  • Allow us to define an object that could be exposed globally on the window object.
  • Allow this object to call back when its methods were called.
  • Allow this object to pass methods back to the background process before responding.
  • Allow registering listeners for events triggered from the background process.
@BrendanEich
Copy link
Member

@BrendanEich BrendanEich commented Jul 25, 2018

Dan, thanks for filing. Has anyone tried getting Google's attention on such an API for extensions being added? Thanks.
@danfinlay
Copy link
Author

@danfinlay danfinlay commented Jul 25, 2018
edited

No, I don't think we've filed for Google's attention on this yet, although we did have some discussions with Mozilla a while back:

https://bugzilla.mozilla.org/show_bug.cgi?id=1319168

(Not the exact topic but on the same domain)
@danfinlay
Copy link
Author

@danfinlay danfinlay commented Jul 25, 2018

Another discussion on this topic is here: MetaMask/metamask-extension#813 (comment)

We thought maybe the Component.utils.cloneInto api could be used for this with some adjustments.
@danfinlay
Copy link
Author

@danfinlay danfinlay commented Jul 25, 2018

Actually maybe we need to revisit this on the MetaMask side. Looks like the externally_connectable from sites feature was added so that extensions like MetaMask could do this.

Here's the Chromium discussion on that topic:
https://bugs.chromium.org/p/chromium/issues/detail?id=679238
@bbondy bbondy added this to the Backlog milestone Jul 26, 2018
@rebron rebron modified the milestone: 1.x Backlog Feb 7, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
@BrendanEich @danfinlay @bbondy @rebron
You can’t perform that action at this time.