Merge pull request #870 from w3c/meeting-2025-09-11

Rob--W · web-flow · commit 4f1aed7d47b8 · 2025-09-25T17:02:14.000+02:00
Publish minutes of 2025-09-11 meeting
diff --git a/_minutes/2025-09-11-wecg.md b/_minutes/2025-09-11-wecg.md
@@ -0,0 +1,145 @@
+# WECG Meetings 2025, Public Notes, Sep 11
+
+ * Chair: Kiara Rose
+ * Scribes: Rob Wu
+
+Time: 8 AM PDT = https://everytimezone.com/?t=68c36280,384
+Call-in details: [WebExtensions CG, 11th September 2025](https://www.w3.org/events/meetings/43e4fb8e-4736-445c-b051-2383ffeef033/20250911T080000/)
+Zoom issues? Ping @zombie (Tomislav Jovanovic) in [chat](https://github.com/w3c/webextensions/blob/main/CONTRIBUTING.md#joining-chat)
+
+
+## Agenda: [discussion in #867](https://github.com/w3c/webextensions/issues/867), [github issues](https://github.com/w3c/webextensions/issues)
+
+The meeting will start at 3 minutes after the hour.
+
+See [issue 531](https://github.com/w3c/webextensions/issues/531) for an explanation of this agenda format.
+
+ * **Announcements** (2 minutes)
+   * N/A
+ * **Triage** (15 minutes)
+   * [Issue 394](https://github.com/w3c/webextensions/issues/394): DNR: Add support for wildcards in initiatorDomains and excludedInitiatorDomains fields
+   * [Issue 868](https://github.com/w3c/webextensions/issues/868): DNR redirects make fetch(..., { redirect: "error" }) reject → easy blocker detection
+   * [Issue 869](https://github.com/w3c/webextensions/issues/869): Expose browser UI theme (read-only + change event)
+ * **Timely issues** (10 minutes)
+   * N/A
+ * **Check-in on existing issues** (20 minutes)
+   * [PR 798](https://github.com/w3c/webextensions/pull/798): Proposal: Allow to change permissions behavior on extension updates
+     * agreed on"backward compatibility" concern
+     * browser vendors to review and agree on the proposal
+     * discuss alternative (permissions_on_install) https://github.com/w3c/webextensions/pull/798#issuecomment-3281329407
+
+
+## Attendees (sign yourself in)
+
+ 1. Oliver Dunk (Google)
+ 2. Rob Wu (Mozilla)
+ 3. Kiara Rose (Apple)
+ 4. Dave Vandyke (DuckDuckGo)
+ 5. Giorgio Maone (Tor, NoScript)
+ 6. Krzysztof Modras (Ghostery)
+ 7. Simeon Vincent (Mozilla)
+ 8. Mukul Purohit (Microsoft)
+ 9. Oleksii Levzhynskyi (Grammarly)
+ 10. Jordan Spivack (Capital One)
+ 11. Casey Garland (Capital One)
+ 12. David Johnson (Apple)
+ 13. Carlos Jeurissen (Jeurissen Apps)
+ 14. Harsh Singh (GSoC)
+ 15. Maxim Topciu (AdGuard)
+
+
+## Meeting notes
+
+[Issue 394](https://github.com/w3c/webextensions/issues/394): DNR: Add support for wildcards in initiatorDomains and excludedInitiatorDomains fields
+
+ * [kiara] On the Safari side we added support for subdomains. The asks is for example.\* wildcards is something we cannot support.
+ * [dave] Not sure if having a general TLD wildcard is useful.
+ * [krzysztof] This request came from ad blockers, to match google.\* for example. Recently Ghostery had another use case: to allowlist on the original domain. They don't want to think about whether they have covered everything correctly.
+ * [rob] Would a publicSuffix API help here? Allows extensions to expand wildcards themselves.
+ * [krzysztof] I expect that would help. Of course, don't want to match [google.wordpress.com](http://google.wordpress.com/) for a Google wildcard. Similarly, Rob has an extension (Don't Track Me Google) that is basically a content script injected into a large number of Google domains.
+ * [rob] For that specific example, I listed all known Google domains at the time, but adding a new domain would create a new permission request, so I don't do that.
+ * [oliver] Anchoring of urlPattern would help with anchoring of (sub)domains, wouldn't it?
+ * [dave] Now that you mentioned it, yes, that does work. And regexFilter offers even more flexibility.
+ * [dave] On the Google use case, some domains may not be google dot something, e.g. YouTube.
+ * [timothy] Concerned about affecting unrelated websites that they have not tested with.
+ * [simeon] When I was at Google, there was something with first part domains that grouped domains.
+ * [rob] That's called first party sets, that concept is no longer being pursued.
+   * https://github.com/WICG/first-party-sets
+ * [oliver] First party sets still lives on, as “Related Website Sets”, with some additional requirements.
+   * [simeon] https://privacysandbox.google.com/cookies/related-website-sets and https://developer.mozilla.org/en-US/docs/Web/API/Storage_Access_API/Related_website_sets
+ * [oliver] On the Google side our opinion is still similar, not keen on the capability of wildcards. Just because you have many on the same TLD, does not mean that you own domains for all TLDs. We are neutral, so willing to accept solutions but not a priority to implement.
+ * [rob] Would regexFilter work? It does not work for initiators right now.
+ * [dave] If we had regular expression matching conditions that applied to initiator domain instead of request domain, I figure that would meet your use-case with the approach like Rob suggested and be more generally applicable?
+ * [rob] Extension could decide which part of the rule the PSL applies to.
+ * [krzysztof] Would work for basic config, but might not work for rule matching. Adds additional complexity to DNR rule processing.
+ * [maxim] Probably could fix, but if you start considering sites unsafe when using regular expressions, might create other problems. But not totally ruling this out.
+ * [kiara] I will discuss this on the Safari side to gather our position.
+
+[Issue 868](https://github.com/w3c/webextensions/issues/868): DNR redirects make fetch(..., { redirect: "error" }) reject → easy blocker detection
+
+ * [krzysztof] Opened by a teammate. When using redirect rules, websites can easily detect the presence of a content blocker. This is not desirable, obviously. Quick solution: whenever the DNR rule applies, return a 200. There's some extra info relevant to Safari: the redirect points to the extension's URL, leaking the extension ID.
+ * [timothy] That's probably something we want to fix.
+ * [rob] That URL leakage is not just a Safari concern. I have wanted to address this issue for years, and we've had other issues filed in WECG. The general solution that I came up with is the ability to replace response bodies while keeping the rest the same. That may still have issues with subresource integrity. First want to see if there is interest from other browsers in modifying the response.
+   * https://github.com/w3c/webextensions/issues/604
+   * https://bugzilla.mozilla.org/show_bug.cgi?id=1712096
+ * [timothy] Interested in that area too.
+ * [oliver] I'd like to follow up. Fingerprinting in general is something we want to avoid. Don't know enough about the caveats for this specific case.
+ * [krzysztof] Don't want to redirect so much as rewrite the response.
+ * [david] Would we want to change to redirect or introduce a new rule to swap response content?
+ * [timothy] Depends on the nature of the redirect. Maybe that's the key, if it's an extension resource replace the response body.
+ * [rob] On the Safari side, are you thinking of a specific approach?
+ * [kiara] Still need to discuss; the fact that we leak the extension URL is something we need to fix.
+ * [timothy] We have some masking of URL, e.g. masking URL in the DOM.
+ * [rob] Are you interested in opening an issue describing your current state, and see what we can do there? I'm very interested in addressing the fingerprinting issue. I have had thoughts before, and recognize the value of cross browser alignment for interoperability.
+ * [timothy] I can do that.
+ * [krzysztof] Are there use cases for redirects to extension resources where the URL should change?
+ * [maxim] Ad blocker extensions usually redirect to internal resources or change parameters.
+ * [krzysztof] Should we disallow redirects to external resources? Concern of untrusted script execution when redirecting to other websites.
+
+[Issue 869](https://github.com/w3c/webextensions/issues/869): Expose browser UI theme (read-only + change event)
+
+ * [oliver] I saw a related Chromium issue opened, I'm not sure what the context is and I haven't heard any discussions internally: https://issues.chromium.org/443765363
+ * [oliver] Firefox has an existing API but it only returns themes applied by an addon, not the browser theme: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/theme/getCurrent
+ * [rob] theme.getCurrent() returning null for the browser theme is a known issue ([bug 1435216](https://bugzilla.mozilla.org/show_bug.cgi?id=1435216)). This is because it is hard to condense the browser theme into the same return type.
+ * [rob] Why do you think this proposal would be a general solution for all use case? So far it has been rather difficult to find a solution to works for various use cases.
+ * [krzysztof] I haven't read all the links Carlos provided due to time constraints. When time allows, I can follow up with a revised proposal.
+ * [timothy] … I see some concern that this may overlap too much with general web functionality. I'm missing the use cases that would be served by this API.
+ * [krzysztof] Many extensions provide sidebars, would be nice to match the theme of the browser. I would be fine with a CSS solution.
+ * [carlos] Accent color and system color aren't supported in all browsers.
+ * [david] I'm in favor of a DOM or CSS based solution, especially with Liquid Glass. Just querying a theme might not be sufficient.
+ * [krzysztof] The browser icon could also benefit from the ability to adapt to colors.
+ * [simeon] Alternatively SVG?
+ * [timothy] Chrome does not support that.
+ * [timothy] In Safari we try to avoid that possibility where a specific color would conflict with the page. It is something the browser should solve, and not every extension on their own.
+ * [krzysztof] Maybe we should move the browser action concerns into a separate issue for clarity.
+ * [timothy] In favor of a declarative solution instead of an event/iterative based approach, due to delays and flashes. That's why we precompute light/dark mode upfront, as we change frequently, which we do with Liquid Glass.
+ * [oleksii] Colors for badges
+ * [timothy] Currently Safari does not support custom colors for badges, it is always red.
+ * [oliver] What do you think of closing this issue and explaining why this specific API would not work?
+ * [simeon] Sounds good to me.
+ * [oliver] I will write a comment.
+
+[PR 798](https://github.com/w3c/webextensions/pull/798): Proposal: Allow to change permissions behavior on extension updates
+
+ * (from agenda)
+   * agreed on "backward compatibility" concern
+   * browser vendors to review and agree on the proposal
+   * discuss alternative (permissions_on_install) https://github.com/w3c/webextensions/pull/798#issuecomment-3281329407
+ * [oleksii] Summary at https://github.com/w3c/webextensions/pull/798#issuecomment-3281105339
+ * [oleksii] PR proposes permission_behavior, which only works for browsers that do support it. Another option is to add a new property (e.g. `permissions_on_install`), a concern is that nobody would use the permissions and use the new permissions key.
+ * [timothy] Problem with backcompat is that we cannot go in the past and change software that users have. Have to bake for 1-2 years before everyone is up to date.
+ * [carlos] I believe that `permissions_on_install` would help here; historically we have `permissions` and `optional_permissions`; `permissions_on_install` would swap the logic around. Instead of specifying the “optional” permissions. You would specify the “to-prompt” permissions. When present, it would suppress the prompting behaviour of `permissions` and the hoisting of `content_scripts` permissions.
+ * [oleksii] So eventually `permissions_on_install` would replace `permissions` key?
+ * [carlos] No, eventually (in a next manifest version), `permissions` and `optional_permissions` can be fused as one `permissions` which are all treated as “optional”. (Kind of what was initially the plan with host permissions in mv3).
+ * [rob] Could you describe a concrete usage of the proposed API? The original use case is about updating: Currently if you have [example.com](http://example.com/) as a host permission. If you want to add [example.net](http://example.net/), Chrome would disable the extension.
+ * [carlos] You'd add the new permission to `permissions_on_install`, but this would only be prompted for new users.
+ * [oleksii] To clarify, a developer would only add [example.net](http://example.net/) to `permissions_on_install`, correct?
+ * [carlos] Correct.
+ * [oleksii] Feels like this property would likely replace permissions.
+ * [rob] I see a use case for developer that don't want to ask for the world. When they want to add a new host permission, they add the new ones to permissions_on_install only, and continue to ask for limited permissions in the `permissions` key. They would gently nudge the user over time to add the new permissions with extension-specific UI (using `permissions.request()`. After a year or so, most users are expected to have approved, and they migrate the required permissions to the `permissions` field to make the requirement explicit (causing the extension to be disabled in Chrome for users who have not approved). Is that the kind of use case you had in mind?
+ * [carlos] Correct. This is to help with a transition period.
+ * [dave] This also encourages extensions to ask for fewer permissions; currently they ask for many upfront to avoid Chrome's issue.
+ * [oliver] I thought we were talking about `permissions_on_install` being a new array. For content scripts, how would content script injection work? I don't think the behavior of one key should affect another.
+ * [oleksii] I can update my proposal to incorporate this feedback and work with Carlos to address his concerns.
+
+The next meeting will be on [Thursday, September 25th, 8 AM PDT (3 PM UTC)](https://everytimezone.com/?t=68d5d780,384).
diff --git a/_minutes/README.md b/_minutes/README.md
@@ -10,23 +10,24 @@ After the end of each meeting, meeting notes are published here.
 
 ## Upcoming meetings
 
-- 2025-09-11 at 8 AM PDT = https://everytimezone.com/?t=68c36280,384
 - 2025-09-25 at 8 AM PDT = https://everytimezone.com/?t=68d5d780,384
+- 2025-10-09 at 8 AM PDT = https://everytimezone.com/?t=68e84c80,384
 
 ## Past meetings
 
+* 2025-09-11 ([minutes](2025-09-11-wecg.md))
 * 2025-08-28 ([minutes](2025-08-28-wecg.md))
 * 2025-08-14 ([minutes](2025-08-14-wecg.md))
 * 2025-07-31 ([minutes](2025-07-31-wecg.md))
 * 2025-07-17 ([minutes](2025-07-17-wecg.md))
 * 2025-07-03 ([minutes](2025-07-03-wecg.md))
-* 2025-06-05 ([minutes](2025-06-05-wecg.md))
 
 <details>
 <summary><strong>All past meeting notes</strong></summary>
 
 **2025**
 
+* 2025-09-11 ([minutes](2025-09-11-wecg.md))
 * 2025-08-28 ([minutes](2025-08-28-wecg.md))
 * 2025-08-14 ([minutes](2025-08-14-wecg.md))
 * 2025-07-31 ([minutes](2025-07-31-wecg.md))
