Discuss: scripting.registerContentScripts() when there are no host permissions

[hanguokai]

Chrome, Firefox and Safari(>= 16.4) supports dynamic content script, i.e. scripting.registerContentScripts().

At present, if an extension doesn't have related host permissions, scripting.registerContentScripts() runs without error, and scripting.getRegisteredContentScripts() can get the registered info. But in fact, the registered content scripts don't run in the matched websites. From an ergonomic point of view, this is a bit counterintuitive.

So, I have a few suggestions for registerContentScripts(). Similar to identity.getAuthToken(), add an option parameter for requesting the host permission, and return whether it is registered successful.

browser.scripting.registerContentScripts(
  scripts: RegisteredContentScript[],

  // a new option object
  // if interactive is true, then promote the user to grant the host permissions if needed.
  // like permissions.request(), interactive is true only works with a user gesture.
  option?: { interactive: boolean },

  // return true if all content scripts are registered successful.
  callback?: success => void
)

This suggestion is only to improve the developer experience. It can be workaround by calling permissions.contains()/request() before scripting.registerContentScripts().

[zombie]

While this doesn't sound unreasonable, I wouldn't support this API feature in Firefox. It might seem convenient for developers to add a flag and browser to automatically ask for permissions, but that might provide a false sense for developers that if this method call doesn't return an error, the new content scripts would run from now.

In Firefox MV3 (and in some configurations in other browsers), host permissions can be granted and revoked by users both before and after this method call, and is something that developers should be aware of and account for, using the existing browser.permissions methods and events.

In our opinion that would be the recommended way for this functionality, developers should check if they have all necessary permissions for the newly registered content scripts, and trigger the request for the user for any they might be lacking.

[hanguokai]

In terms of the API itself, Ok, I close this issue.

But the API documentation needs to be improved. Developers needs to be warned that even if this API executes successfully it does not mean that content scripts will actually execute. Dynamic (even static) content scripts only run when the extension has related host permission. Host permissions may be removed by the user at any time. Developers need to use this API in conjunction with browser.permissions API.