With the release of Firefox Quantum on November 14, 2017, we officially entered a WebExtensions-only world for add-on development. While that event was certainly the news of the day, Firefox 58 quietly entered Beta and a host of new APIs and improvements landed. As always, documentation for the APIs discussed here can be found on MDN Web Docs.
Additional Theme API
The API around themes continues to grow, allowing you customize even more of the browser appearance. In Firefox 58, you can now:
- Change the color of the top, bottom and vertical separator for the toolbar.
- Use colors.bookmark_text as an alias for colors.toolbar_text to better support porting themes from Chrome to Firefox.
- Use theme.getCurrent() to get the ID of the current theme (on a per window basis, if desired).
- Listen for theme.onUpdated() to know when a static theme is installed or uninstalled, or a dynamic theme is updated.
Reader Mode API Added to Tabs
The API available for interacting with tabs continues to grow. Firefox reader view (or reader mode) strips away clutter like buttons, ads and background images, and changes the page’s text size, contrast, and layout for better readability. It can even read the page out loud to you, if you want.
The image below shows a page that can be viewed in reader mode, indicated by the page icon in the URL bar (circled in red).
- tabs.Tab.isArticle – boolean value shows if a tab is an article and thus supports reader mode
- tabs.Tab.isInReaderMode – boolean value reports if a tab is currently in reader mode or not
- tabs.toggleReaderMode() – toggle a tab in or out of reader mode (isArticle must be TRUE to have any effect)
- tabs.create(…, openInReaderMode) – new parameter that determines if a new tab should be created and initially displayed in reader mode
- tabs.onUpdated.addListener() – a tab will notify you when it goes into and out of reader mode
Improved webRequest API
Extensions can now easily get the entire URL ancestor chain, even in an HTTP environment. webRequest.onBeforeRequest() now includes another parameter in its callback object called frameAncestors. This is an array that contains information for each document in the frame hierarchy up to the top-level document.
Additionally, to enable proxy authorization to work smoothly, webRequest.onAuthRequired() now fires for system events. If an extension has the correct permissions, it will be able to use onAuthRequired to supply credentials for proxy authorization.
Flexible XHR and Fetch Headers
When a content script makes requests using the standard window.XMLHttpRequest or window.fetch() API, the Origin and Referer headers are not set like they would be when requests come from the web page itself. This is often desirable in a cross-domain situation so that the content script does not appear to come from a different domain.
However, some sites only allow XHR and fetch to retrieve content if the correct Referer and Origin headers are set. Starting in Firefox 58, the WebExtensions API permits the use of content.XMLHttpRequest() and content.fetch() to perform requests that look as if they were sent by the web page content itself.
Improved Content Security Policy (CSP) Handling
Work also continues in the WebExtensions CSP area. Starting with Firefox 58, the CSP of a web page does not apply to content inserted by an extension. This allows, for example, the extension to load its own resources into a page.
This is a fairly large effort requiring some substantial architectural work. In Firefox 58, the first part of this work has landed, permitting basic injection of content generated by DOM APIs. There will be follow-ups for parser-generated content and inline stylesheets and scripts.
Setting the Default Search Engine
Using chrome_settings_override, an extension can now install a new default search engine by setting the is_default key to TRUE. To protect the user, this cannot be done silently and the user will see an additional dialog that prompts them to confirm the change.
User Notification of Extensions Overrides
As the scope and power of the WebExtensions API increases, it is important to maintain the user’s security and privacy. In addition to the permission dialog that a user sees upon installation, Firefox tries to make sure that users are aware of which parts of the browser are under the control of an extension, and provide a way for them to revert back to default behavior, if desired.
Firefox 58 landed a couple of features in this area. First, when an extension has taken control of the New Tab Page, a notice is shown in Options (about:preferences) along with a button to disable the extension. This is shown in the screenshot below.
Along similar lines, if an extension has set a user’s default search engine, this will be shown on the Options (about:preferences) page.
Additional Privacy Controls
In keeping with Mozilla’s mission to protect an individual’s online security and privacy, two new browser settings related to user privacy are now exposed via the WebExtensions API. Within privacy.websites, we’ve added:
- firstPartyIsolate – This preference makes the browser associate all data (including cookies, HSTS data, cached images, and more) for any third party domains with the domain in the address bar.
- resistFingerprinting – Browser fingerprinting is the practice by which websites collect data associated with the browser or the device it’s running on to personally identify you. This preference makes the browser report spoofed information for data that’s commonly used for fingerprinting.
Browser Action Fixes
A number of changes landed in Firefox 58 that fix issues with Browser Action buttons:
- The icon badge clears as requested when you browse away from a page.
- Badge style, including text color, is maintained when opening a new window or entering customize mode.
- The correct icon is now used for dark themes as well as when the icon is part of the overflow panel.
Support for PKCS #11 Security Devices
Firefox supports manual installation of external security devices via a dialog under the Options (about:preferences) screen. Now, WebExtensions includes API support for PKCS #11 security devices. Similar to native messaging and managed storage, a native manifest must be installed outside of an extension before the API become useful.
On Android, users get install-time prompts for WebExtension permissions, but under Firefox 58 they now also get prompts when an extension adds additional permissions at runtime.
- The browsingData API now supports clearing the indexedDB storage area
- The browsingData API supports clearing localStorage by hostname, similar to cookies
- Extensions can now disable web API notifications
- The download API will respect the user’s “Save As” preference
- The “Unresponsive Script” dialog now shows the extension’s name
More to Come
The items above represent some of the bigger changes, but Firefox 58 landed a total of 79 items in the WebExtensions area. Thank you to everyone who had a part in getting Firefox 58 to Beta, especially volunteer contributors apoorvasingh2811, DW-dev, Tom Schuster, Kevin Jones, Ian Moody, Tim Nguyen, Tomislav Jovanovic, Masatoshi Kimura, Wouter Verhelst.
We continue to receive a lot of feedback from developers and, based on that feedback, work is progressing on new features for Firefox 59 and beyond. Expect to see the WebExtensions API improve and grow, particularly in regards to the organization and management of tabs, as well as the theming API. As always, thank you for using Firefox and helping ensure that individuals have the ability to shape the Internet and their own experiences on it.