User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Steps to reproduce:

Read DataSpii report here https://securitywithsam.com/2019/07/dataspii-leak-via-browser-extensions/

Actual results:

I was appalled and found no public response from Mozilla team.

Expected results:

Read an acceptable response and commitments from people behind my favorite browser. For example:

• Provide an option to turn an extension to be only local (no web access) at time of installation with ability to turn that on/off from Add-ons Manager (with adequate risk/breaking warnings on both ways).
• Give higher priority to these tickets:
  -- Extend optional permissions (https://bugzilla.mozilla.org/show_bug.cgi?id=1458585)
  -- Users can control host permissions (https://bugzilla.mozilla.org/show_bug.cgi?id=1497075)
  -- Permissions API events (https://bugzilla.mozilla.org/show_bug.cgi?id=1444294)
• Provide a Permissions page listing each one, an explanation, risk associated, etc. and which extension is using it. Something similar but better than the one provided by this extension: https://addons.mozilla.org/en-US/firefox/addon/permission-inspector/.
• Stuff related to extension review process but I'll stop here so as to not get kicked out this soon since this is too much.

Thanks!

Hi sahal8020,

Thanks for reporting this as an enhancement.

I'll add a product and component so the corresponding team can take a look at this and advice. If you consider this is not the right component, feel free to change it.

Regards,

Mozilla has blocked the extensions that were found to be in violation of our policies.
​
Extension security is important to Mozilla, and our ecosystem has undergone several shifts over the years in response to changing threats.
​
In response, our recent focus has been on limiting the damage malicious extensions can do, helping users discover recommendations [1] that we vet and monitor, helping users understand the risks that come with installing extensions, and making it easier for users to report potentially malicious extensions to us.
​

1. https://support.mozilla.org/en-US/kb/recommended-extensions-program
   ​
   Additionally, we are taking a look at how we ask for and grant host permissions as part of our Manifest version 3 work, so I'm closing this as duplicate of bug 1578284.