09-05-2025 02:31 AM
Calling all Firefox extension developers!
Hello, Alan here again - Product Manager working on Firefox extensions. 👋
In a recent blog post I explained that we’re working to streamline the data consent experience for extensions.
I’m pleased to announce that the initial version of this feature is now available in Firefox Nightly version 139 (and later) for extension developers to test out and provide feedback! We want to make sure that the new data consent experience is easy for extension developers to adopt, and works as a drop-in replacement for any existing custom consent experiences you may have created. We also need to know if the data categories available to choose from are appropriate for your extension.
Please take a look at how you can implement this new experience for your extensions in Firefox Nightly, and then please share any feedback or comments that you have to help make this better below!
Thanks in advance!
09-05-2025 06:46 AM
I have a simple question: what does "collect" here mean? Does an extension that merely processes data locally count? E.g. an extension that searches / reorders / groups the user's bookmarks in some way, or an extension that deletes certain history based on user's input, or an extension that injects code into a webpage that doesn't cause any data to be sent.
09-05-2025 06:52 AM
That is an excellent question! "Collect" includes all data or information the add-on transmits outside of boundaries of the extension or the local browser, such as to an external web server or another program or process on the users computer.
Processing data locally within the add-on and browser, in the examples that you give, probably aren't considered data collection as they're happening locally.
21-05-2025 02:51 AM
Just to be absolutely clear since I read something conflicting elsewhere.
I can request all the following permissions in the manifest.json:
"host_permissions": [
"<all_urls>"
],
"permissions": [
"bookmarks",
"alarms",
"clipboardRead",
"clipboardWrite",
"tabs",
"storage",
"downloads",
"history",
"scripting",
"menus",
"webRequest",
"webRequestBlocking"
]
And can still declare this:
"data_collection_permissions": {
"required": [ "none" ]
}
As long as the extension don't transmit data to an external server?
21-05-2025 05:38 AM
Yes, that is correct. The permissions and data collection permissions are separate so you can declare them in the way you suggest if you don't transmit data outside of the extension.
14-05-2025 03:56 AM
Really appreciate the new built-in consent popup feature—it’s a great addition! I have a few questions regarding this new consent flow:
For existing enterprise extensions that collect data using 3rdparty, will the consent popup still appear during installation?
If an extension is deployed via admin policies like Extensions (Install) or managed through ExtensionSettings, will the consent popup still be shown in those cases?
I’ve previously published a signed add-on. If I plan to submit an updated version, should I adopt this new consent mechanism?
Please specify the timeline if possible from when it comes to live, so that I will plan my upgrade accordingly.
Thanks in advance for any insights!
14-05-2025 05:58 AM - edited 14-05-2025 05:58 AM
Thanks for the feedback, I really appreciate it! To answer your questions.
For existing enterprise extensions that collect data using 3rdparty, will the consent popup still appear during installation?
I am not personally familiar with 3rdparty, but if your extension collects personal data from users you will need to specify this in the manifest and it will show this information to users during the install for them to agree to.
If an extension is deployed via admin policies like Extensions (Install) or managed through ExtensionSettings, will the consent popup still be shown in those cases?
Firefox doesn't show the installation prompts when extensions are installed via admin policies, and this same behaviour will be applied to the consent popup.
I’ve previously published a signed add-on. If I plan to submit an updated version, should I adopt this new consent mechanism?
Yes, you should adopt this in the future. We are still in the development phase for this feature, so there's no need for you to do anything right now. We will publish on our add-ons blog and in many other places when this feature is available for you to use in your extensions, as well as any timelines. We expect to phase this in gradually, so there will be plenty of time for you to submit a new version that takes advantage of this feature!
Thanks again for your feedback!
Edit: Formatting
16-05-2025 06:03 AM
I have some questions:
16-05-2025 06:58 AM
Thanks for your questions!
1. If you specify that the extension has no required data collection, the installation screen will show "The developer says this extension doesn't require data collection"
2. You can't use this in production yet, and addons.mozilla.org won't let you upload an extension with these settings in the manifest just yet. We want to make sure we consider all the feedback before we enable this, but we will plan to do so in the coming months. I'll be sure that we provide as much notice and communication as possible when it is enabled.
3. The plan is for the data_collection_permissions property to be only meant to be in the gecko property and shared by both Firefox Desktop and Firefox for Android
19-05-2025 12:27 AM - edited 19-05-2025 12:32 AM
Please also note the WECG discussion https://github.com/w3c/webextensions/issues/516
14-06-2025 12:20 AM
Thanks For Share This Blog @alanmbyrne
18-06-2025 04:48 PM - edited 18-06-2025 05:44 PM
With respect, while this change is undoubtedly well-intentioned and would likely improve somewhat both the developer and user experiences, I think it's wallpapering over some fundamental issues:
1. Consent. Your definition of "consent" is too narrow. When the single purpose of an extension, as described to the user in advance, is to share certain information externally, and to only do so when explicitly initiated by the user, both (a) confirmation of installation and (b) explicit initiation of such sharing constitute (implied) consent. There is no need to force the developer or the user to jump through any more consent hoops, which is redundant, confusing and annoying. Worse, it gives a false sense of security.
2. Privacy. Personal information is sensitive, but most non-personal information is not. URLs, for example, that are not linked to personally-identifiable information are not sensitive, and to suggest they are is inconsistent with normal Internet behavior, again giving a false sense of security. The Internet's infrastructure and protocols inherently involve the transmission and logging of such information to enable communication and service delivery.
3. Developer Support. The Web is dominated by Chromium, not only Google Chrome, but also Chromium-based browsers including Microsoft Edge, Brave, Opera, and Vivaldi, some of which focus on privacy and security. The market share of Firefox has declined to the point of near irrelevance, creating a negative feedback loop of developer support, which is already worse than Chromium, and imposing new requirements on developers is likely to discourage them from supporting Firefox.
19-06-2025 04:43 AM
Hi JNavas - I really appreciate you taking the time to engage with this topic and provide your feedback!
I do agree that this solution is not perfect, and doesn't address all the points you raise. My goal as a product manager when working on products and features is to continually improve them - not to make them immediately perfect. "Perfect is the enemy of good" as they say.
Here is some of the background context as to why we made the decisions we have:
Firefox's add-on policies have long required developers to clearly state, and gain consent, for the collection and transmission of personal data. This is not a new requirement. The goal of this feature is to reduce the overhead on and make it easier for developers to be compliant with these policies.
Unfortunately we cannot rely on implied consent, as Firefox extensions can be hosted on and installed from 3rd party websites and we have no idea how these extensions are messaged to the user on those. For this reason we require the developer to get explicit consent from the user on install, rather than on download. Not all extensions transmit data only when a user explicitly performs an action. Some extensions run in the background, transmitting data, and we want to ensure that the user is aware of this.
Finally, if an extension has access to the URLs that are browsed, and transmits them to some 3rd party server or application, then this information can be used to build a very personal profile. Some websites also include user or given names, and potentially anything personal as part of their URL structure, so it can very easily become personal data.
Your point about market share is also well taken, and one that we are very aware of here at Firefox! Firefox was created to give users choices about what browsers they have access to and what principles govern the development and maintenance of those browsers. I feel very strongly that user privacy, choice, and transparency around data collection are non-negotiable and that has always been reflected in our add-on policies.
My goal here at Mozilla is to balance this user choice with the needs of our awesome extension developer community. We're not always going to get it right - but I will never stop trying!
I hope this helps explain some of the decisions that were made and why. And as an Australian, I admit that working with holes is very ingrained in our culture - as you can see by this iconic scene in the classic Australian film called The Castle 😀
19-06-2025 04:25 PM - edited 19-06-2025 05:08 PM
@alanmbyrne
Thank you for the detailed reply.
My response (in reverse order):
To be clear, I'm not upset with you, or even Mozilla.
I'm upset with myself for putting up with all the grief and hassles.
John
20-06-2025 09:49 AM - edited 20-06-2025 09:49 AM
My extension update was just rejected, so I will drop support for Firefox (as I had warned).
I sincerely wish the best for Mozilla, but I fear it's direction will continue downward.
John
31-07-2025 11:01 AM
This doesn't really tell most readers anything without a link to the code for your extension and some information about the rejection you received.
31-07-2025 11:30 AM - edited 31-07-2025 11:33 AM
31-07-2025 03:01 PM
I'm concerned that (based on the blog post) this doesn't seem to require, encourage, or even facilitate any statement about what may be done with collected data. For example, the Accessing the data permissions programmatically shows a dialog requesting permission to collect health data, but saying nothing regarding the organizations that would be handling the data, what rules or regulations apply to its processing, or what remedies might be available if it were mishandled. (You can't exactly recover confidentiality, but it is theoretically possible to charge a big enough fine for this that even the greediest entities will treat data with the appropriate care.)
04-08-2025 09:03 AM
Thanks for the comment, I appreciate you engaging with us on this. We would expect the extension developer to document this in their privacy policy. Our add-on store allows the developer to supply a link to this policy, or enter the privacy policy text directly, which a user can then access via the add-ons listing page on addons.mozilla.org.
We're also exploring allowing the developer to add some text to explain why they collect the data and what will be done with it, which will be part of a later release.
06-08-2025 12:19 AM
The new Extension Data Consent experience now available in Firefox Nightly is a step forward in giving users more transparency and control over their data. With this update, Firefox aims to make it clearer how extensions handle data and to ensure users are explicitly informed before granting permissions.
09-08-2025 06:01 AM - edited 09-08-2025 06:07 AM
I submit the addon with using this new consent screen feature, then throw me an error
Error: The "data_collection_permissions" property is reserved for future usage and cannot be used in an extension at the moment.
Originally I thought this is the feature of Firefox Nightly, but then I saw the blog that has the banner showing Firefox built-in consent for data collection and transmission is supported in Firefox for desktop 140 and later, and Firefox for Android 142 and above.
So I decided to use this new feature with my current version (141.0.3) and got the error
Blog's link: https://extensionworkshop.com/documentation/develop/firefox-builtin-data-consent/
And I found a issue when grant the user permission, I have a permission technicalAndInteraction in optional array and I make the granting process in popup page, when user clicks the grant button, the permission prompt show behind the popup, If user close the popup and grant or deny the permission, the popup can't receive the event because the script is stop executing due to close of the popup thus I can't save the user preference into the localStorage, no idea is this a unwanted behavior or not
29-08-2025 05:05 AM
Nice, I'm sure someone would find that useful.
How about considering the formatting of XML responses in the Network tab, like Chrome does since day 1? I don't know why I persist in using Firefox to debug apps when Firefox shows the XML (SOAP) responses as a single, plain raw text line without formatting.