> I don't see how one follows from the other. Attackers are using malicious extensions to eavesdrop on networks... therefore we need better reviews and not restricted APIs? I get why you might want to advocate for the latter over the former, but certainly it seems like restricting APIs also has positive impact.
As I understand it, the APIs that are removed only remove the ability to modify network requests; the remaining APIs will still allow you to inspect requests.
(Disclosure: I work at Mozilla but not on extension APIs or even Firefox. I have written extensions myself though.)
Ah, thank you. So the idea here is that extensions will still have the read access to requests, which is all attackers care about (typically). Confirmation would be interesting - at minimum I thought that inspecting requests (read only) Was being limited, but I'm just a casual observer.
> As of Manifest V3, the "webRequestBlocking" permission is no longer available for most extensions. Consider "declarativeNetRequest", which enables use of the declarativeNetRequest API. Aside from "webRequestBlocking", the webRequest API will be unchanged and available for normal use.
So the other functionality, to inspect web requests, will still be available.
As I understand it, the APIs that are removed only remove the ability to modify network requests; the remaining APIs will still allow you to inspect requests.
(Disclosure: I work at Mozilla but not on extension APIs or even Firefox. I have written extensions myself though.)