Firefox 77 is loaded with great improvements for the WebExtensions API. These additions to the API will help you provide a great experience for your users.
Since Firefox 57, users have been able to see what permissions an extension wants to access during the installation process. The addition of any new permissions to the extension triggers another notification that users must accept during the extension’s next update. If they don’t, they won’t receive the updated version.
These notifications were intended to provide transparency about what extensions can do and help users make informed decisions about whether they should complete the installation process. However, we’ve seen that users can feel overwhelmed by repeated prompts. Worse, failure to see and accept new permissions requests for updated versions can leave users stranded on older versions.
We’re addressing this with optional permissions. First, we have made a number of permissions optional. Optional permissions don’t trigger a permission prompt for users during installation or when the extension updates. It also means that users have less of a chance of becoming stranded.
Second, we’re encouraging developers who use optional permissions to request them at runtime. When you use optional permissions with the permissions.request API, permission requests will be triggered when permissions are needed for a feature. Users can then see which permissions are being requested in context of using the extension. For more information, please see our guide on requesting permissions at runtime.
Merging CSP headers
Users who have multiple add-ons installed that modify the content security policy headers of requests may have been seeing their add-ons behave erratically and will likely blame the add-on(s) for not working. Luckily, we now properly merge the CSP headers when two add-ons modify them via webRequest. This is especially important for content blockers leveraging the CSP to block resources such as scripts and images.
Handling SameSite cookie restrictions
We’ve seen developers trying to work around SameSite cookie restrictions. If you have been using iframes on your extension pages and expecting them to behave like first party frames, the
SameSite cookie attribute will keep your add-on from working properly. In Firefox 77, the cookies for these frames will behave as if it was a first party request. This should ensure that your extension continues to work as expected.
Please also see these additional changes:
- The tabs.duplicate API now allows the position and active status of a duplicated tab to be specified.
- We’ve limited the ability to monitor data: URIs using the webRequest API. This feature was never clearly documented, and is also not supported by Chrome. Please see the bug for more details.
- WebExtensions can now also clear IndexedDB and ServiceWorkers by hostname using the hostnames removal option of browsingData.remove.
- tabs.goBack and tabs.goForward are now supported.
I’m very excited about the number of patches from the community that are included in this release. Please congratulate Tom Schuster, Ajitesh, Tobias, Mélanie Chauvel, Atique Ahmed Ziad, and a few teams across Mozilla that are bringing these great additions to you. I’m looking forward to finding out what is in store for Firefox 78, please stay tuned!