Jump to content

WebExtensions

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Anton.bersh (talk | contribs) at 22:15, 4 February 2019. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
Not to be confused with Browser extension in general. This article describes API system originally introduced by Google Chrome and then adopted by Mozilla Firefox..

WebExtensions is a set of application programming interfaces (APIs) that enable developers to implement additional features and functionality for a browser. WebExtensions utilize standard web technologiesHTML, CSS, and JavaScript. Extensions can modify the look and behavior of web pages by injecting their own code into the web pages and therefore can take advantage of the same web APIs as JavaScript on the web page.

These API were initially introduced by Google Chrome (and were simply called Chrome Extensions APIs), but due to the success of Google Chrome and other Chromium-based browsers, the API was used by a large number of extensions and later adopted by other browsers, including Mozilla Firefox (who coined the term WebExtensions) and Microsoft Edge.

In December 2018 Microsoft announced plans to recreate its Edge browser on Chromium Blink and V8 engines (as opposed to its own EdgeHTML and Chakra),[1][2][3][4] which should make Edge compatible with Google Chrome extensions out of the box.[5][6] After this transition, Mozilla Firefox will be the only browser supporting WebExtensions that is not based on Chromium.

History

Google Chrome origins

WebExtensions were originally introduced by Google in the Google Chrome browser. On September 9, 2009, Google enabled extensions by default on Chrome's developer channel, and provided several sample extensions for testing.[7] In December 2009, the Google Chrome Extensions Gallery beta began with approximately 300 extensions.[8][9] Google Chrome Extensions Gallery was launched on January 25, 2010 containing over 1500 extensions, along with Google Chrome 4.0 on Windows, which enabled extensions by default.[10] Later Google Chrome Extensions Gallery was renamed to Chrome Web Store.

Adoption by Microsoft Edge

Microsoft Edge was built on a completely new engines EdgeHTML and Chakra and abandoned Internet Explorer's legacy Trident engine (also known as MSHTML).[11][12][13] Since it is a complete rewrite, it does not support legacy technologies such as ActiveX and Browser Helper Objects, and instead uses WebExtensions. Edge Extensions are delivered via Microsoft Store (formerly known as Windows Store), which as of December 2018 lists 214 extensions.[14]

Although Microsoft Edge WebExtensions implementation aims for interoperability with Google Chrome, some notable differences exist. The API is accessible via browser.* object, instead of chrome.* object like in Google Chrome. Microsoft Edge extension APIs use callbacks, not promises. Absolute paths starting with ms-browser-extension:// in CSS do not work like similar paths in Google Chrome starting with chrome-extension://, developers have to use relative URLs instead.[15] Furthermore, not all features are supported, for example extensions can not specify their Content Security Policy (the corresponding entry in the extension manifest is ignored) and extension is run with the default CSP.[16]

In December 2018 Microsoft announced plans to recreate its Edge browser on Chromium Blink and V8 engines (as opposed to its own EdgeHTML and Chakra).[1][2][3][4] This decision received mixed feedback: it was celebrated as a victory of modern and open source Chromium over proprietary Edge but also criticized as act of surrendering power over Internet to Chromium main developer Google.[17][18] Edge project manager Kyle Alden stated that the move should resolve all the incompatibilities between Edge and Chrome and expressed intent to support "existing Chrome extensions."[5][6] "Existing [Universal Windows Platform] apps (including [Progressive Web Apps] in the Store) will continue to use EdgeHTML/Chakra without interruption", but apps should get an option to use WebView that apps can choose to use based on the new rendering engine.[5]

Adoption by Mozilla Firefox and Thunderbird

On August 21, 2015 Mozilla announced plans to eventually deprecate XPCOM- and XUL-based add-ons and instead introduce support for WebExtensions, to better take advantages of its new multi-process technologies called Electrolysis and Servo.[19][20] Mozilla refers to XPCOM- and XUL-based add-ons as legacy add-ons. Shortly after Mozilla announced that Firefox 57.* and newer will be called Firefox Quantum and would no longer support legacy add-ons. Firefox Add-ons restricted upload of legacy add-ons with maximum version set above 56.*[21] All legacy add-ons were removed from Firefox Add-ons in November 2018: the search does not show any legacy add-ons and loading the URLs of individual extension pages returns "page not found" errors.[22] Individual users attempted to enable some legacy add-ons on Firefox Quantum (version 57.* and newer) via a flag and install them from unofficial archives, but those attempts were largely unsuccessful, since some underlying components were removed from Firefox altogether.[23] Mozilla track the progress on removal of XBL on a dedicated site https://bgrins.github.io/xbl-analysis/graph, as of February 2019, 75% of XBL bindings were removed from the Firefox codebase.[24]

W3C Browser Extension Community Working Group

In 2015 W3C Browser Extension Community Group was formed "to facilitate discussion between Web Browser vendors, as well as other interested parties, in order to establish a set of standards for interoperable browser extensions" and "ensure actual interoperability rather than mere similarity [to Google Chrome APIs]."[25] Mike Pietraszak from Microsoft became the editor of the draft.[26] However, as of December 2018, the Community Group hasn't published any reports yet;[27] only a Working Draft is available. The Community Group is severely understaffed, so the specification is "lagging behind and a little short on the details."[28] The standard's future is uncertain, since the group is headed by Mike Pietraszak from Microsoft,[26] and Microsoft decided to rebuild Edge on top of Chromium.[1]

Security

According to MDN Web Docs, "Because add-ons run in an environment with elevated privileges relative to ordinary web pages, they present a very serious set of security considerations. They have the potential to open security holes not only in the add-ons themselves, but also in the browser, in web pages, and, in particularly distressing cases, the entire system the browser is running on."[29] Online criminals have developed malicious software that can silently hijack the browser settings (for example, change the homepage or inject ads into the visited sites and even block user's ability to restore previous stings to trap the user in undesired state).[30]

Content Security Policy

WebExtension can specify a Content Security Policy via manifest.json using attribute content_security_policy, or otherwise a default CSP will be applied. Default CSP is script-src 'self'; object-src 'self', which blocks eval() and similar functions, inline JavaScript, and remote scripts and object resources.[31][32] Vendors have different restrictions as to which CSP are allowed for extensions in their stores:[33] Firefox Add-ons disallows "extensions with 'unsafe-eval', 'unsafe-inline', remote scripts, blobs, or remote sources in their CSP ... due to major security issues."[34]

Microsoft Edge currently (as of December 2018) only support Default CSP for all extensions and ignores content_security_policy attribute.[16]

Deceptive extensions

Extensions distributed outside of Chrome Web Store

On May 27, 2014, Google issued an update to Chrome preventing Windows users (on the stable channel) from installing extensions obtained outside the Chrome Web Store, however change did not affect developer channel and developers still can install extensions locally and businesses can also enable local installs through their Enterprise policies.[35][36] On May 13, 2015 Google reported a "75% drop in customer support help requests for uninstalling unwanted extensions" and plans to expand restriction to all Windows and Mac users (including users of developer channels) because they "observed malicious software forcing users into the developer channel in order to install unwanted off-store extensions."[37]

Inline Installs

Inline installs was a method for extension developers to advertise their extensions published in the extension stores on their own websites.[38]

On June 12, 2018, Google announced plans to deprecate Inline Installation entirely and remove the API from Chrome 71: when extensions would call the chrome.webstore.install() function they would be redirected to Chrome Web Store in a new tab (this policy immediately applied for all extensions published on June 12, 2018 or later and then expanded to all extensions starting on September 12, 2018).[39] In October 2018 sites were reported bypassing the restrictions by loading the extensions' Chrome Web Store page itself over the sites' pages and resizing and positioning Chrome Web Store page in a specific way to show only "Add to Chrome" button.[40][41]

In early December 2018, the inline install API method will be removed from Chrome 71.

Deceptive extensions in extension stores

A number of malicious or deceptive extensions bypassed stores' review procedures.[42][43]

See also

References

  1. ^ a b c "Microsoft Edge: Making the web better through more open source collaboration". Windows Experience Blog. 2018-12-06. Retrieved 2018-12-14.
  2. ^ a b "Microsoft confirms plan to rebuild Edge browser using Chromium on Windows 10". Windows Central. 2018-12-06. Retrieved 2018-12-14.
  3. ^ a b "Microsoft Edge goes Chromium (and macOS)". TechCrunch. Retrieved 2018-12-14.
  4. ^ a b Keizer, Gregg (2018-12-08). "With move to rebuild Edge atop Google's Chromium, Microsoft raises white flag in browser war". Computerworld. Retrieved 2018-12-14.
  5. ^ a b c "r/Windows10 - Microsoft Edge: Making the web better through more open source collaboration". reddit. Retrieved 2018-12-15.
  6. ^ a b "Microsoft's new Edge browser will support Chrome extensions". Engadget. Retrieved 2018-12-15.
  7. ^ "Extensions Status: On the Runway, Getting Ready for Take-Off". Chromium Blog. Retrieved 2018-12-14.
  8. ^ "Google Chrome for the holidays: Mac, Linux and extensions in beta". Official Google Blog. Retrieved 2018-12-14.
  9. ^ "Extensions beta launched, with over 300 extensions!". Chromium Blog. Retrieved 2018-12-14.
  10. ^ "Over 1,500 new features for Google Chrome". Google Chrome Blog. Retrieved 2018-12-14.
  11. ^ "Project Spartan and the Windows 10 January Preview Build – IEBlog". blogs.msdn.microsoft.com. Retrieved 2018-12-15.
  12. ^ "Living on the edge – our next step in helping the web just work – IEBlog". blogs.msdn.microsoft.com. Retrieved 2018-12-15.
  13. ^ Warren, Tom (2015-01-27). "Microsoft reveals its Internet Explorer successor will support extensions". The Verge. Retrieved 2018-12-15.
  14. ^ "Extensions for Microsoft Edge". Microsoft Store. Retrieved 2018-12-15.
  15. ^ erikadoyle. "Extensions - Supported APIs - Microsoft Edge Development". docs.microsoft.com. Retrieved 2018-12-15.
  16. ^ a b erikadoyle. "Extensions - Supported manifest keys - Microsoft Edge Development". docs.microsoft.com. Retrieved 2018-12-15.
  17. ^ Williams, Owen; Koebler, Jason (2018-12-07). "Microsoft Putting Edge on Chromium Will Fundamentally Change the Web". Motherboard. Retrieved 2018-12-14.
  18. ^ Beard, Chris. "Goodbye, EdgeHTML". The Mozilla Blog. Retrieved 2018-12-17.
  19. ^ "The Future of Developing Firefox Add-ons". Mozilla Add-ons Blog. Retrieved 2018-12-15.
  20. ^ "Mozilla's self-destruct course continues: major add-on compatibility changes announced - gHacks Tech News". www.ghacks.net. Retrieved 2018-12-15.
  21. ^ "Upcoming Changes in Compatibility Features". Mozilla Add-ons Blog. Retrieved 2018-12-15.
  22. ^ "It appears that Mozilla removed all classic extensions from Firefox Add-ons - gHacks Tech News". www.ghacks.net. Retrieved 2018-12-14.
  23. ^ "How to enable legacy extensions in Firefox 57 - gHacks Tech News". www.ghacks.net. Retrieved 2018-12-14.
  24. ^ "XBL Graphs". bgrins.github.io. Retrieved 2019-02-04.
  25. ^ "Browser Extension Community Group Charter — Browser Extension Community Group". browserext.github.io. Retrieved 2018-12-14.
  26. ^ a b "Browser Extensions". browserext.github.io. Retrieved 2018-12-14.
  27. ^ "Browser Extension Community Group". Retrieved 2018-12-14.
  28. ^ "Re: One question from Florian Rivoal on 2017-07-29 (public-browserext@w3.org from July 2017)". lists.w3.org. Retrieved 2019-02-04.
  29. ^ "Add-on Policies". MDN Web Docs. Retrieved 2018-12-15.
  30. ^ "Don't mess with my browser!". Google Chrome Blog. Retrieved 2018-12-15.
  31. ^ "Content Security Policy". MDN Web Docs. Retrieved 2018-12-15.
  32. ^ "Content Security Policy (CSP) - Google Chrome". developer.chrome.com. Retrieved 2018-12-15.
  33. ^ "Content Security Policy". MDN Web Docs. Retrieved 2018-12-15.
  34. ^ "content_security_policy". MDN Web Docs. Retrieved 2018-12-15.
  35. ^ "Chrome For Windows Will Now Only Install Extensions From Google's Web Store". TechCrunch. Retrieved 2018-12-14.
  36. ^ "Protecting Chrome users from malicious extensions". Google Chrome Blog. Retrieved 2018-12-14.
  37. ^ "Continuing to protect Chrome users from malicious extensions". Chromium Blog. Retrieved 2018-12-15.
  38. ^ "Using Inline Installation - Google Chrome". developer.chrome.com. Retrieved 2018-12-14.
  39. ^ "Improving extension transparency for users". Chromium Blog. Retrieved 2018-12-15.
  40. ^ "Chrome Extension Devs Use Sneaky Landing Pages after Google Bans Inline Installs". BleepingComputer. Retrieved 2018-12-15.
  41. ^ "Chrome's inline extension install ban already bypassed - gHacks Tech News". www.ghacks.net. Retrieved 2018-12-15.
  42. ^ "Security firm ICEBRG uncovers 4 malicious Chrome extensions - gHacks Tech News". www.ghacks.net. Retrieved 2018-12-15.
  43. ^ "Google's bad track record of malicious Chrome extensions continues - gHacks Tech News". www.ghacks.net. Retrieved 2018-12-15.
Retrieved from "https://en.wikipedia.org/w/index.php?title=WebExtensions&oldid=881802228"