Firefox extension requires no permissions in Firefox but many permissions in Orion

Aaltano · Sep 10, 2023

Steps to reproduce:

Go to this Firefox extension in Orion: https://addons.mozilla.org/en-US/firefox/addon/open-graph-preview-and-debug/
Install it

Expected behavior:
This extenion requires NO permissions in Firefox at all:

I would expect it to require no permissions in Orion as well, but instead it asks for very invasive permissions, e.g. "read and alter webpages and see your browsing history on this website", and it asks for these permissions on every website I load (not just when interacting with the extension).

Orion, OS version; hardware type:
Orion
Version 0.99.125-beta (WebKit 616.1.22)
Build date Jul 31 2023
MacBook Pro (macOS Ventura 13.5.1 build 22G90)

Image/Video:

dino · Sep 21, 2023

altano This extension requires activeTab permissions, and as Orion respect per-site access restrictions, it will ask you for access confirmation. Firefox is missing per-site privacy/security feature.

{
  "manifest_version": 2,
  "name": "Open Graph Preview",
  "version": "1.0.4",
  "description": "Preview what users will see if this webpage is shared on Facebook. Uses the webpage's OG tags.",
  "icons": {
    "48": "icons/og-dark-48.png",
    "96": "icons/og-dark-96.png"
  },
  "permissions": [
    "activeTab" <------------
  ],
  "browser_action": {
    "default_icon": "icons/og-dark-96.png",
    "theme_icons": [
      {
        "light": "icons/og-96.png",
        "dark": "icons/og-dark-96.png",
        "size": 32
      }
    ],
    "default_title": "Open Graph Preview",
    "default_popup": "popup/popup.html"
  },
  "web_accessible_resources": [],
  "browser_specific_settings": {
    "gecko": {
      "id": "{6e262423-d612-4f29-be6e-e83aa641645d}"
    }
  }
}

However you can opt for "Always Allow on Every Website" in case you don't want this popup

You can set this as global behavior too, by changing install settings on next web-ext install, or can change per-extension settings using Preferences -> Websites -> (Scroll Down for Extension Settings in left panel)

Aaltano · Sep 24, 2023

@Vlad so you’re saying that if I accept this permission prompt in Orion, and grant the extension these permissions on all websites, it would be equivalent to the permissions the extension has in Firefox without the prompt?

If Firefox’s permissions allowed extensions to access all of that without a prompt I would be very surprised. If they don’t, I’m not sure I understand your reply.

Thanks for taking a look, either way.

dino · Sep 25, 2023

altano

if I accept this permission prompt in Orion, and grant the extension these permissions on all websites

Yes, if you select Allow on all websites it will not show any further prompt.

If Firefox’s permissions allowed extensions to access all of that without a prompt I would be very surprised. If they don’t, I’m not sure I understand your reply.

Orion is mostly focused on user privacy, where you can limit websites access for web-extensions (like banking sites, or sites having confidential information), that's why you are seeing those prompts, but still you have option to get rid of those. just by selecting Allow on all websites from bottom-left popup list while installing extension (before clicking on Add)

Aaltano · Sep 26, 2023

So I was curious to understand if Firefox was defying my expectations on security/privacy here given this thread and here's what I found.

Firefox is missing per-site privacy/security feature.

I don't think this is exactly true, at least not how I interpreted it. Here is Mozilla's take on this permission:

https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#activetab_permission

My interpretation of that is that an extension such as this Open Graph Preview is granted extra permissions on any tab where the user interacts with the extension. So Open Graph Preview would not be allowed to access data on a tab BEFORE I interacted with the extension (e.g. clicked its button).

Orion is not taking this approach: it is prompting me to grant the activeTab permissions before I interact with the extension.

Having an explicit permissions prompt like Orion has that comes up when I interact with the extension would be more theoretically secure than what Firefox is doing, since it would be getting my explicit consent instead of the consent implied by my interacting with the extension.

BUT, showing me this prompt and making me grant the permissions to the extension ALWAYS, before I've interacted with the extension, has two problems:

1) It's less secure to give the extension these permissions ALL the time vs. just when I interact with it (it is all the time, right?)
2) It makes such an extension impossible to install unless I'm willing to grant it broad privileges.

If I'm misunderstanding Orion's permissions dialogue and it also doesn't allow the extension access to data until you interact with the extension, even after you've given the extension those permissions, then the permissions dialogue isn't worded very well.

Does that all make sense? Is there a flaw in my logic here?

dino · Sep 26, 2023

altano having activeTab permission, an extension is free to use browser.tabs.executeScript() and browser.tabs.insertCSS(), and that need user consent for sure. And if Firefox is not asking for that, there's definitely some issue with Firefox.

BUT, showing me this prompt and making me grant the permissions to the extension ALWAYS, before I've interacted with the extension, has two problems:

It's up to you if you want to allow this extension or not, having ALWAYS options in prompt don't mean you must select those, you can choose Do not ask again to silent this.

Orion shows permission prompt to get user's content as the tab gets active. Use has few options

Allow for one day

The extension is allowed on open website for a day only.

Always Allow on This Website

The extension is always allowed on open website.

Always Allow on Every Website

The extension is always allowed on any website. (If the user trusts the extension and want to make it whitelist and don't want any further prompt)

Do not ask again

No need to show the prompt as user don't wish to give this extension permissions

Not sure, what is your ask. Do you want Orion to remove web extensions restrictions for injecting scripts, css to pages without user consent?

We expect you to explain what you want to suggest for current flow to make it better (we want to build a browser better then Firefox & Chrome, as Firefox & Chrome already exists and people wants something better now )

Aaltano · Sep 28, 2023

dino thanks for getting back to me.

Not sure, what is your ask. Do you want Orion to remove web extensions restrictions for injecting scripts, css to pages without user consent?

I guess I would love it if Orion matched Firefox's behavior for activeTab: implicitly give the extension permission on the current tab, only when I interact with the extension. And if that's not possible because you don't want to implicitly give the extension permission, then the second best option is: don't show the permissions prompt until I interact with the extension.

For this specific extension: I am a web developer and I sometimes want to debug open graph data for a website. It is my understanding that Firefox will restrict this extension from accessing the current tab the 99.999% of time I don't click it, but once I click on the extension button it is able to read the active tab's html and show an open graph image preview.

With Orion: I have to either:

Give the extension permission to read all website data all the time or
Accept/reject a permissions prompt on every single new website I go to

#2 is silly and no one would put up with this, and #1 is insecure and gives the extension overly broad permissions. For me, that makes this extension perfect in Firefox and unusable in Orion.