Open Bug 1720571 Opened 3 years ago Updated 2 years ago

Consider coalescing permissions UI for same domain across multiple TLDs (and especially for google)

Categories

(WebExtensions :: General, enhancement, P3)

enhancement
Points:
3

Tracking

(Not tracked)

People

(Reporter: zombie, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [mv3-m2])

Quoting Rob Wu:

Chrome collapses host permissions where host minus eTLDs are collapsed.
www.google.co.uk, www.google.com, www.google.nl, maps.google.com becomes "www.google.com and maps.google.com". For the logic and references to code, see https://source.chromium.org/chromium/chromium/src/+/main:extensions/common/permissions/permission_message_util.cc;l=40;drc=a1e1598b6309e8a8094a3fbef99dfeb9c6e4e042 and crbug.com/72732

In contrast, Firefox just dumps the full list of hosts, see the "Permissions" section at https://addons.mozilla.org/en-US/firefox/addon/dont-track-me-google1/ for an example.

We've had developers ask this, most often for google.* domains, since that's basically the only global company that actively operates user-facing domains across more than a handful TLDs.

I even considered adding a special google.* permission just for this usecase, but it turns out Chrome has managed to back into a similar result from the opposite end, and is probably worth considering.

I cannot determine from the Chrome code how this is done safely. What if someone else ends up owning google.whatever? It also seems somewhat bad to favor/special-case specific companies.

Anne, what would the issue be with using the eTLD service?

Severity: -- → N/A
Flags: needinfo?(annevk)
Priority: -- → P3
Whiteboard: [mv3-m2]

Shane, how would the Public Suffix List help in determining that google.com and google.nl have the same owner?

Flags: needinfo?(annevk)

IIUC The point here is simplifying some ui.

in the permission type prompting, something like:

Access to amazon.com
Access to multiple google domains

in the addon permissions, perhaps something like:

[+] google.* [enable|disable]

hitting the + expands to

[+] google.* [enable|disable]
google.com [enable|disable]
google.nl [enable|disable]
google.something [enable|disable]

I'm not certain ownership is terribly important with this as we would still want granular capability. Aside from that, are users going to know that google.com and google.something are not owned by google?

In the current situation, where a user is shown a prompt with 100+ Google domains, what are the odds that they would see google.something amidst the lot of other Google domains? I don't think that we need to worry about users getting confused that "google.com and google.something are not owned by google".

Points: --- → 3
You need to log in before you can comment on or make changes to this bug.