Clarification of difference between additional privileges granted in MV2 and MV3 host permissions #39260
Conversation
…MV2 and MV3 host permissions
| @@ -59,7 +59,7 @@ Host permissions are specified as [match patterns](/en-US/docs/Mozilla/Add-ons/W | |||
|
|
|||
| The extra privileges include: | |||
|
|
|||
| - [XMLHttpRequest](/en-US/docs/Web/API/XMLHttpRequest) and [fetch](/en-US/docs/Web/API/Fetch_API) access to those origins without cross-origin restrictions (though not for requests from content scripts, as was the case in Manifest V2). | |||
| - [XMLHttpRequest](/en-US/docs/Web/API/XMLHttpRequest) and [fetch](/en-US/docs/Web/API/Fetch_API) access to those origins without cross-origin restrictions, but not for requests from content scripts. (This differs from the behavior of [host permissions in Manifest V2](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#host_permissions) that provided this privilege for requests from content scripts.) | |||
There was a problem hiding this comment.
As a reader, I still find this wording a bit confusing.
The parenthetical sentence contrasts the described behavior with Manifest V2, but it wasn't clear that the first sentence was referring to Manifest V3 in the first place. This is further complicated by the fact that content script behaviors differ across browsers – but lets table this concern for the moment.
I've taken a shot at rewriting this line to be more easily understandable on first read.
| - [XMLHttpRequest](/en-US/docs/Web/API/XMLHttpRequest) and [fetch](/en-US/docs/Web/API/Fetch_API) access to those origins without cross-origin restrictions, but not for requests from content scripts. (This differs from the behavior of [host permissions in Manifest V2](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#host_permissions) that provided this privilege for requests from content scripts.) | |
| - the ability to use [XMLHttpRequest](/en-US/docs/Web/API/XMLHttpRequest) and [fetch](/en-US/docs/Web/API/Fetch_API) to perform HTTP requests on matching origins without encountering cross-origin restrictions. (In Manifest V3 extensions this only applies to requests issued from extension contexts. In Manifest V2 it also applies to requests made by content scripts.) |
There was a problem hiding this comment.
@dotproto the manifest version is stated at the top of the page and clearly identifies that this feature is supported in 3 or above. So I don't believe there was a need to reword. The rewording adds ambiguity as it suggests this feature can be used in 2 and 3 but has different behavior in each.
Description
Rephrases the comment "though not for requests from content scripts, as was the case in Manifest V2" made in the host_permissions manifest key discussion about extra privileges given to XMLHttpRequest and fetch to access the declared origins without cross-origin restrictions. The statement has been interpreted to mean that the privilege isn't given for requests from content scripts in Manifest V2, when it is.
Change originally made as a result of this comment.
Related issues and pull requests
Fixes #39168