I used to work in an industry where being ISO 9001 certified was necessary in order to remain competitive. If you are unfamiliar with ISO 9001, it is a set of standards that requires a business to document each process, and then follow those documented processes. And every autumn, sure as the leaves falling from the trees, an independent auditor would show up to verify we were indeed documenting and following our processes. It’s like a tax audit you impose on yourself (and about as unpleasant).
The idea behind ISO 9001, though, is that a certified business can be trusted, both in its business dealings and its delivered products. It is meant to convey a sense of quality and security to customers.
Firefox (thankfully) is not subject to ISO standards, but we still ask users to trust us. This is especially true for extensions. How do we communicate that a user should trust an extension when, conceivably, it has access to every site the user visits and can see each byte of data the user sends and receives.
A primary way Firefox builds trust with users is by showing them what an extension is capable of doing via permissions. During installation, the user is presented with a list of permissions that the extension has requested, and that list must be explicitly confirmed before installation proceeds. As developers we can take advantage of this opportunity to connect with our users. Fully explaining the permissions we need (on the landing page, in the listing, and/or in the extension itself) and why we need them creates trust in our extension and faith in Firefox.
Chrome has had this type of permission system for some time, and most people are used to seeing this on their mobile phones where, for years, applications have asked for permissions when installed. Long time Firefox users, however, may not be used to seeing this prompt, as it is relatively new, introduced with the WebExtensions API. Therefore, as developers, we should only ask for the permissions our extension absolutely needs, demonstrating respect for user privacy and reinforcing the trust bond with our users.
Mozilla provides material on this blog and on our support site to help users better understand what is happening with permissions. For developers, this article on MDN goes into more detail on ways to request and use appropriate permissions. Following that advice can help gain and maintain trust in extensions, without the pain of an ISO 9001 audit.