Disable Optional Permissions such as 'Access your data for all websites'
Hello,
For enterprise solutions, for our browser extension can we disable the switch button where user can turn-off the "Access your data for all websites"?
This can be informed to the end user and also approved by the IT admins.
But the option to disable at runtime on the fly needs to be disabled.
All Replies (9)
We don't currently have a way to do that, but it is on our roadmap.
Thanks @mike.
DO we have any update on this lately, Even for enterprise policy enforced extensions end users are able to turn off the permissions.
This is raising a serious concerns from customers. Can someone please share right channel to communicate this and if possible to expediate a fix for the issue?
Ti ṣàtúnṣe nípa GB
I'll move this up in priority.
I'm curious why this isn't a required permission though?
Also, can I get a copy of the extension to test?
I would be concerned about a rogue policy overriding the host permission controls offered by Manifest v3 for an untrustworthy extension, but perhaps that is paranoid thinking.
Policy won't be setting the controls, it's that if an addon is installed via policy, they won't be modifiable.
As far as rogue policy in general goes, changing policy requires admin access (whether that is updating the policy registry or putting policies.json in the EXE directory) so if someone has that, all bets are off anyway.
Hello ! Sorry for the delay, I was away from the city into the wilderness.
My bare minimum test extension has below files: 1. manifest.json ``` {
"manifest_version": 3,
"name": "Enter Key Extension",
"version": "1.0.4",
"browser_specific_settings": {
"gecko": {
"id": "TestMv3@extension.com"
}
},
"description": "Extension that detects ENTER key presses and sends messages to background",
"background": {
"scripts": [
"background.js"
]
},
"content_scripts": [
{
"matches": ["<all_urls>"],
"js": ["content.js"]
}
],
"permissions": [
"declarativeNetRequest",
"tabs",
"nativeMessaging",
"scripting",
"activeTab"
]
} ```
2. content.js ``` // Listen for keydown events document.addEventListener('keydown', function(event) {
// Check if the pressed key is ENTER
if (event.key === 'Enter') {
// Send message to background script
chrome.runtime.sendMessage({
type: 'enter-key-pressed',
timestamp: Date.now(),
url: window.location.href
});
}
});
console.log('Content script loaded and listening for ENTER key'); ```
3. background.js ``` // Listen for messages from content scripts chrome.runtime.onMessage.addListener((message, sender, sendResponse) => {
// Log the received message
console.log('Message received from content script:', message);
console.log('Sender tab:', sender.tab);
// Optionally send a response back
sendResponse({ status: 'Message received successfully' });
});
console.log('Background script loaded and listening for messages'); ``` PFA: Screenshots for the tests. In first 2 SS, the extension is observed to be forced-installed and also the console logs are visible. In last 2 SS the optional permission "Access your data for all websites" is turned off and because of which the console logs are not observed and the extension also do not communicate with the background.
Note: after disabliing the permission, page reload is needed.
Please do let me know if incase more details needed.
Ti ṣàtúnṣe nípa GB
Hello Mike, jscher2000
So we have any timelines or updates on this?
No updates. I have a patch, but I'm working on a test. Hopefully in the next version of Firefox.