
On Web Extensions shortcomings and their impact on add-on security - stesch
https://palant.de/2017/11/11/on-web-extensions-shortcomings-and-their-impact-on-add-on-security
======
klondike_
I always thought it was bizarre that WebExtensions had no UI framework.
Injecting stuff into a website seems like a poor solution

~~~
eejdoowad
An extension overlay API would have saved me so much pain when building Saka
(saka.io). There are two options for injecting UI today:

1\. Inject UI directly into the document

2\. Inject an iframe containing the UI into the document

Both rely on manipulating the document, which can be used to fingerprint
users. Most developers opt for 1 because it requires no setup and lets the
content script synchronously access the UI. 2 is needed when the injected UI
containing sensitive information.

I'd like an extension overlay API that lets you inject: 1\. UI local to the
tab 2\. UI that persists across all tabs

In a brief #webextensions IRC discussion, I was told an overlay API isn't
viable for a number of reasons, one of which is multiple extensions may
conflict.

~~~
hawski
Did they tell you how the extensions may conflict? I don't understand what it
means. Couldn't it work like e.g. context menu does already for extension
icon?

~~~
eejdoowad
What happens when two extensions try to place a widget in the same location?
Chaos. Not that the status quo is any better.

Interestingly, Firefox's sidebar API only allows a single sidebar to be shown.

~~~
drdaeman
I still don't get it. What problem they're trying to avoid?

It's exactly the same if two extensions would currently try to manipulate the
page by adding a frame (or, worse, a <div> with non-isolated UI) to the same
location.

The only difference is, with out-of-page widgets (e.g. overlay regions or
popouts), they won't be visible in the page's DOM.

~~~
eejdoowad
My understanding is that if they do implement an API, they want it to be
better than the status quo, not the same.

------
paulryanrogers
Secure access to the clipboard is probably going to require a permission
prompt. Otherwise it seems too risky.

~~~
tyingq
Already out of the bag. You can manipulate the clipboard now from extensions.

~~~
fabrice_d
And behind a permission: see "Clipboard access" in
[https://developer.mozilla.org/en-US/Add-
ons/WebExtensions/ma...](https://developer.mozilla.org/en-US/Add-
ons/WebExtensions/manifest.json/permissions)

------
Feniks
The only shortcoming is the user. Only install ad ons that you know and
understand. And only from the official project source.

Or you can (correctly) assume users are a danger to themselves and coddle
them. The Google Chrome/Apple/Microsoft philosophy.

~~~
rco8786
History has shown us that users are overwhelmingly a danger to themselves when
it comes to this sort of thing. Pretending otherwise is not a good strategy.

~~~
Feniks
Oh I know. People are why we can't have nice things. Like add ons.

Already you can't install the latest versions unless Mozilla approves them.

I just prefer freedom, including the freedom to make mistakes.

