> Yeah it would be nice there were a way to limit the entire scope of an addon's permissions to a whitelist of domains.
You can do this for the network read/write permissions, where the permission request dialog on install will tell you the URL patterns the extension wants access to.
I can't do this for my specific extension though. My extension checks web pages for problems like broken links, so it needs to be able to fetch any web page URL you give it and then it has to fetch any URLs that are linked to on the page, so I have to ask for access to http://\\\* and https://\\\* (I could maybe get away with just the `activeTab` permission to check the domain of the current tab if the checks were more limited though).
The extension is only doing operations like this within its own tab, when you have the extension open, and for it's own network requests, so it's frustrating there isn't a more granular permission I can ask for as I've isolated it as much as I could.
It's a tricky problem though. Browser makers will have certain kinds of extensions in mind, and optimise to make the permission system and permission request messages friendly for those kinds of extensions. Less standard extensions usually have to settle for broader permissions with less friendly permission descriptions, until hopefully the permission system gets iterated on based on how it's being used in the wild (Manifest V3 in Chrome for example).
You can do this for the network read/write permissions, where the permission request dialog on install will tell you the URL patterns the extension wants access to.
I can't do this for my specific extension though. My extension checks web pages for problems like broken links, so it needs to be able to fetch any web page URL you give it and then it has to fetch any URLs that are linked to on the page, so I have to ask for access to http://\\\* and https://\\\* (I could maybe get away with just the `activeTab` permission to check the domain of the current tab if the checks were more limited though).
The extension is only doing operations like this within its own tab, when you have the extension open, and for it's own network requests, so it's frustrating there isn't a more granular permission I can ask for as I've isolated it as much as I could.
It's a tricky problem though. Browser makers will have certain kinds of extensions in mind, and optimise to make the permission system and permission request messages friendly for those kinds of extensions. Less standard extensions usually have to settle for broader permissions with less friendly permission descriptions, until hopefully the permission system gets iterated on based on how it's being used in the wild (Manifest V3 in Chrome for example).