|
#REDIRECT [[Browser extension#API conformity]]
'''WebExtensions''' is an [[application programming interface]] (API) for implementing [[browser extension]]s that uses the standard web technologies of [[HTML]], [[Cascading Style Sheets|CSS]], and [[JavaScript]]. It was popularized by [[Google Chrome]], which has a large number of extensions, and was later adopted by other browsers, including [[Firefox]] and [[Microsoft Edge]].
In December 2018, Microsoft announced that Edge is being rebuilt as a [[Chromium (web browser)|Chromium]]-based browser,<ref name=":0">{{Cite web|url=https://blogs.windows.com/windowsexperience/2018/12/06/microsoft-edge-making-the-web-better-through-more-open-source-collaboration/|title=Microsoft Edge: Making the web better through more open source collaboration|date=2018-12-06|website=Windows Experience Blog|language=en-US|access-date=2018-12-14}}</ref><ref name=":3">{{Cite web|url=https://www.windowscentral.com/microsoft-confirms-plans-rebuild-edge-ground-using-chromium-windows-10|title=Microsoft confirms plan to rebuild Edge browser using Chromium on Windows 10|date=2018-12-06|website=Windows Central|language=en|access-date=2018-12-14}}</ref><ref name=":4">{{Cite web|url=http://social.techcrunch.com/2018/12/06/microsoft-edge-goes-chromium-and-macos/|title=Microsoft Edge goes Chromium (and macOS)|website=TechCrunch|language=en-US|access-date=2018-12-14}}</ref><ref name=":5">{{Cite web|url=https://www.computerworld.com/article/3325333/web-browsers/with-move-to-rebuild-edge-atop-googles-chromium-microsoft-raises-white-flag-in-browser-war.html|title=With move to rebuild Edge atop Google's Chromium, Microsoft raises white flag in browser war|last=Keizer|first=Gregg|date=2018-12-08|website=Computerworld|language=en|access-date=2018-12-14}}</ref> which should provide better extension compatibility with Google Chrome.<ref name=":6">{{Cite web|url=https://www.reddit.com/r/Windows10/comments/a3pt19/microsoft_edge_making_the_web_better_through_more/eb8rhe5|title=r/Windows10 - Microsoft Edge: Making the web better through more open source collaboration|website=reddit|language=en|access-date=2018-12-15}}</ref><ref name=":7">{{Cite web|url=https://www.engadget.com/2018/12/10/microsoft-edge-chrome-extensions/|title=Microsoft's new Edge browser will support Chrome extensions|website=Engadget|language=en|access-date=2018-12-15}}</ref> After this transition, Firefox will be the only major browser supporting WebExtensions that is not Chromium-based.
== History ==
=== Google Chrome origins ===
WebExtensions were originally introduced by [[Google]] in the [[Google Chrome]] browser. On September 9, 2009, Google enabled extensions by default on Chrome's developer channel, and provided several sample extensions for testing.<ref>{{Cite web|url=https://blog.chromium.org/2009/09/extensions-status-on-runway-getting.html|title=Extensions Status: On the Runway, Getting Ready for Take-Off|website=Chromium Blog|language=en|access-date=2018-12-14}}</ref> In December 2009, the Google Chrome Extensions Gallery beta began with approximately 300 extensions.<ref>{{Cite web|url=https://googleblog.blogspot.com/2009/12/google-chrome-for-holidays-mac-linux.html|title=Google Chrome for the holidays: Mac, Linux and extensions in beta|website=Official Google Blog|language=en|access-date=2018-12-14}}</ref><ref>{{Cite web|url=https://blog.chromium.org/2009/12/extensions-beta-launched-with-over-300.html|title=Extensions beta launched, with over 300 extensions!|website=Chromium Blog|language=en|access-date=2018-12-14}}</ref> Google Chrome Extensions Gallery was launched on January 25, 2010 containing over 1500 extensions, along with Google Chrome 4.0 on Windows, which enabled extensions by default.<ref>{{Cite web|url=https://chrome.googleblog.com/2010/01/over-1500-new-features-for-google.html|title=Over 1,500 new features for Google Chrome|website=Google Chrome Blog|language=en|access-date=2018-12-14}}</ref> Later, Google Chrome Extensions Gallery was renamed to [[Chrome Web Store]].
=== Adoption by Microsoft Edge ===
Microsoft Edge was built on a completely new engines [[EdgeHTML]] and [[Chakra (JavaScript engine)|Chakra]] and abandoned [[Internet Explorer]]'s legacy [[Trident (software)|Trident]] engine (also known as MSHTML).<ref>{{Cite web|url=https://blogs.msdn.microsoft.com/ie/2015/01/22/project-spartan-and-the-windows-10-january-preview-build/|title=Project Spartan and the Windows 10 January Preview Build – IEBlog|website=blogs.msdn.microsoft.com|access-date=2018-12-15}}</ref><ref>{{Cite web|url=https://blogs.msdn.microsoft.com/ie/2014/11/11/living-on-the-edge-our-next-step-in-helping-the-web-just-work/|title=Living on the edge – our next step in helping the web just work – IEBlog|website=blogs.msdn.microsoft.com|access-date=2018-12-15}}</ref><ref>{{Cite web|url=https://www.theverge.com/2015/1/27/7925007/microsoft-project-spartan-browser-extensions|title=Microsoft reveals its Internet Explorer successor will support extensions|last=Warren|first=Tom|date=2015-01-27|website=The Verge|access-date=2018-12-15}}</ref> Since it is a complete rewrite, it does not support legacy technologies such as [[ActiveX]] and Browser Helper Objects, and instead uses WebExtensions. Edge Extensions are delivered via [[Microsoft Store (digital)|Microsoft Store]] (formerly known as Windows Store), which as of December 2018 lists 214 extensions.<ref>{{Cite web|url=https://www.microsoft.com/en-us/store/collections/edgeextensions/pc|title=Extensions for Microsoft Edge|website=Microsoft Store|language=en-us|access-date=2018-12-15}}</ref>
Although Microsoft Edge WebExtensions implementation aims for interoperability with Google Chrome, some notable differences exist. The API is accessible via <code>browser.*</code> object, instead of <code>chrome.*</code> object like in Google Chrome. Microsoft Edge extension APIs use [[Callback (computer programming)|callbacks]], not promises. Absolute paths starting with <code>ms-browser-extension://</code> in CSS do not work like similar paths in Google Chrome starting with <code>chrome-extension://</code>, developers have to use relative URLs instead.<ref>{{Cite web|url=https://docs.microsoft.com/en-us/microsoft-edge/extensions/api-support/supported-apis|title=Extensions - Supported APIs - Microsoft Edge Development|last=erikadoyle|website=docs.microsoft.com|language=en-us|access-date=2018-12-15}}</ref> Furthermore, not all features are supported, for example extensions can not specify their Content Security Policy (the corresponding entry in the extension manifest is ignored) and extension is run with the default CSP.<ref name=":8" />
In December 2018 Microsoft announced plans to recreate its Edge browser on Chromium [[Blink (browser engine)|Blink]] and [[Chrome V8|V8]] engines (as opposed to its own [[EdgeHTML]] and [[Chakra (JavaScript engine)|Chakra]]).<ref name=":0" /><ref name=":3" /><ref name=":4" /><ref name=":5" /> This decision received mixed feedback: it was celebrated as a victory of modern and open source Chromium over proprietary Edge but also criticized as act of surrendering power over Internet to Chromium main developer Google.<ref>{{Cite web|url=https://motherboard.vice.com/en_us/article/59vke8/microsoft-putting-edge-on-chromium-will-fundamentally-change-the-web|title=Microsoft Putting Edge on Chromium Will Fundamentally Change the Web|last=Williams|first=Owen|last2=Koebler|first2=Jason|date=2018-12-07|website=Motherboard|language=en-US|access-date=2018-12-14}}</ref><ref>{{Cite web|url=https://blog.mozilla.org/blog/2018/12/06/goodbye-edge|title=Goodbye, EdgeHTML|last=Beard|first=Chris|website=The Mozilla Blog|language=en-US|access-date=2018-12-17}}</ref> Edge project manager Kyle Alden stated that the move should resolve all the incompatibilities between Edge and Chrome and expressed intent to support "existing Chrome extensions."<ref name=":6" /><ref name=":7" /> "Existing [<nowiki/>[[Universal Windows Platform apps|Universal Windows Platform]]] apps (including [<nowiki/>[[Progressive web applications|Progressive Web Apps]]] in the Store) will continue to use EdgeHTML/Chakra without interruption", but apps should get an option to use WebView that apps can choose to use based on the new rendering engine.<ref name=":6" />
=== Adoption by Firefox ===
On August 21, 2015 Mozilla announced plans to eventually deprecate [[XPCOM]]- and [[XUL]]-based add-ons and instead introduce support for WebExtensions, to better take advantages of its new multi-process technologies Electrolysis and [[Servo (software)|Servo]].<ref>{{Cite web|url=https://blog.mozilla.org/addons/2015/08/21/the-future-of-developing-firefox-add-ons/|title=The Future of Developing Firefox Add-ons|website=Mozilla Add-ons Blog|language=en-US|access-date=2018-12-15}}</ref><ref>{{Cite web|url=https://www.ghacks.net/2015/08/21/mozillas-self-destruct-course-continues-major-add-on-compatibility-changes-announced/|title=Mozilla's self-destruct course continues: major add-on compatibility changes announced - gHacks Tech News|website=www.ghacks.net|access-date=2018-12-15}}</ref> Mozilla refers to XPCOM- and XUL-based add-ons as ''legacy add-ons''. Shortly after Mozilla announced that Firefox 57.* and newer will be called Firefox Quantum and would no longer support ''legacy add-ons''. [[Add-on (Mozilla)|Firefox Add-ons]] restricted upload of ''legacy add-ons'' with maximum version set above 56.*<ref>{{Cite web|url=https://blog.mozilla.org/addons/2017/08/10/upcoming-changes-compatibility/|title=Upcoming Changes in Compatibility Features|website=Mozilla Add-ons Blog|language=en-US|access-date=2018-12-15}}</ref> All ''legacy add-ons'' were removed from Firefox Add-ons in November 2018: the search does not show any ''legacy add-ons'' and loading the URLs of individual extension pages returns "page not found" errors.<ref>{{Cite web|url=https://www.ghacks.net/2018/11/29/it-appears-that-mozilla-removed-all-classic-extensions-from-firefox-add-ons/|title=It appears that Mozilla removed all classic extensions from Firefox Add-ons - gHacks Tech News|website=www.ghacks.net|access-date=2018-12-14}}</ref> Individual users attempted to enable some ''legacy add-ons'' on Firefox Quantum (version 57.* and newer) via a flag and install them from unofficial archives, but those attempts were largely unsuccessful, since some underlying components were removed from Firefox altogether.<ref>{{Cite web|url=https://www.ghacks.net/2017/08/12/how-to-enable-legacy-extensions-in-firefox-57/|title=How to enable legacy extensions in Firefox 57 - gHacks Tech News|website=www.ghacks.net|access-date=2018-12-14}}</ref>
=== W3C working group ===
In 2015 [[World Wide Web Consortium|W3C]] Browser Extension Community Group was formed "to facilitate discussion between Web Browser vendors, as well as other interested parties, in order to establish a set of standards for interoperable browser extensions" and "ensure actual interoperability rather than mere similarity [to Google Chrome APIs]."<ref>{{Cite web|url=https://browserext.github.io/charter/|title=Browser Extension Community Group Charter — Browser Extension Community Group|website=browserext.github.io|access-date=2018-12-14}}</ref> Mike Pietraszak from Microsoft became the editor of the draft.<ref name=":2">{{Cite web|url=https://browserext.github.io/browserext/#respec-offender-linter-local-refs-exist-broken-local-reference-found-in-document-please-fix-the-links-mentioned-see-developer-console-occured|title=Browser Extensions|website=browserext.github.io|access-date=2018-12-14}}</ref> However, as of December 2018, the Community Group hasn't published any reports yet;<ref>{{Cite web|url=https://www.w3.org/community/browserext/|title=Browser Extension Community Group|language=en-US|access-date=2018-12-14}}</ref> only a Working Draft is available. The Community Group is severely understaffed, so the specification is "lagging behind and a little short on the details".<ref>{{Cite web|url=https://lists.w3.org/Archives/Public/public-browserext/2017Jul/0001.html|title=Re: One question from Florian Rivoal on 2017-07-29 (public-browserext@w3.org from July 2017)|website=lists.w3.org|access-date=2018-12-14}}</ref> The standard's future is uncertain, since the group is headed by Mike Pietraszak from Microsoft,<ref name=":2" /> and Microsoft decided to rebuild Edge on top of Chromium.<ref name=":0" />
== Security ==
According to MDN Web Docs, "Because add-ons run in an environment with elevated privileges relative to ordinary web pages, they present a very serious set of security considerations. They have the potential to open security holes not only in the add-ons themselves, but also in the browser, in web pages, and, in particularly distressing cases, the entire system the browser is running on."<ref>{{Cite web|url=https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/AMO/Policy/Reviews|title=Add-on Policies|website=MDN Web Docs|language=en-US|access-date=2018-12-15}}</ref> Online criminals have developed malicious software that can silently hijack the browser settings (for example, change the homepage or inject ads into the visited sites and even block user's ability to restore previous stings to trap the user in undesired state).<ref>{{Cite web|url=https://chrome.googleblog.com/2013/10/dont-mess-with-my-browser.html|title=Don’t mess with my browser!|website=Google Chrome Blog|language=en|access-date=2018-12-15}}</ref>
=== Content Security Policy ===
WebExtension can specify a [[Content Security Policy]] via <code>manifest.json</code> using attribute <code>content_security_policy</code>, or otherwise a default CSP will be applied. Default CSP is <code>script-src 'self'; object-src 'self'</code>, which blocks <code>eval()</code> and similar functions, inline JavaScript, and remote scripts and object resources.<ref>{{Cite web|url=https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy|title=Content Security Policy|website=MDN Web Docs|language=en-US|access-date=2018-12-15}}</ref><ref>{{Cite web|url=https://developer.chrome.com/extensions/contentSecurityPolicy#restrictions|title=Content Security Policy (CSP) - Google Chrome|website=developer.chrome.com|access-date=2018-12-15}}</ref> Vendors have different restrictions as to which CSP are allowed for extensions in their stores:<ref>{{Cite web|url=https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy|title=Content Security Policy|website=MDN Web Docs|language=en-US|access-date=2018-12-15}}</ref> Firefox Add-ons disallows "extensions with <code>'unsafe-eval'</code>, <code>'unsafe-inline'</code>, remote scripts, blobs, or remote sources in their CSP ... due to major security issues."<ref>{{Cite web|url=https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy|title=content_security_policy|website=MDN Web Docs|language=en-US|access-date=2018-12-15}}</ref>
As of December 2018, Microsoft Edge only supports default CSP for all extensions and ignores the <code>content_security_policy</code> attribute.<ref name=":8">{{Cite web|url=https://docs.microsoft.com/en-us/microsoft-edge/extensions/api-support/supported-manifest-keys|title=Extensions - Supported manifest keys - Microsoft Edge Development|last=erikadoyle|website=docs.microsoft.com|language=en-us|access-date=2018-12-15}}</ref>
=== Chrome Web Store ===
In 2014, Google issued an update to Chrome preventing Windows users on the stable channel from installing extensions obtained outside the Chrome Web Store.<ref>{{Cite web|url=http://social.techcrunch.com/2014/05/27/chrome-for-windows-will-now-only-install-extensions-from-googles-web-store/|title=Chrome For Windows Will Now Only Install Extensions From Google’s Web Store|website=TechCrunch|language=en-US|access-date=2018-12-14}}</ref><ref name=":1">{{Cite web|url=https://chrome.googleblog.com/2014/05/protecting-chrome-users-from-malicious.html|title=Protecting Chrome users from malicious extensions|website=Google Chrome Blog|language=en|access-date=2018-12-14}}</ref> The following year Google reported a "75% drop in customer support help requests for uninstalling unwanted extensions" which led them to to expand this restriction to all Windows and Mac users.<ref>{{Cite web|url=https://blog.chromium.org/2015/05/continuing-to-protect-chrome-users-from.html|title=Continuing to protect Chrome users from malicious extensions|website=Chromium Blog|language=en|access-date=2018-12-15}}</ref>
Still, many malicious or deceptive extensions have bypassed Google's review procedures.<ref>{{Cite web|url=https://www.ghacks.net/2018/01/16/security-firm-icebrg-uncovers-4-malicious-chrome-extensions/|title=Security firm ICEBRG uncovers 4 malicious Chrome extensions - gHacks Tech News|website=www.ghacks.net|access-date=2018-12-15}}</ref><ref>{{Cite web|url=https://www.ghacks.net/2018/05/11/googles-bad-track-record-of-malicious-chrome-extensions-continues/|title=Google's bad track record of malicious Chrome extensions continues - gHacks Tech News|website=www.ghacks.net|access-date=2018-12-15}}</ref>
Inline installs was a method for extension developers to advertise their extensions published in the extension stores on their own websites.<ref>{{Cite web|url=https://developer.chrome.com/webstore/inline_installation|title=Using Inline Installation - Google Chrome|website=developer.chrome.com|access-date=2018-12-14}}</ref> This method was a frequent malware vector, so it was removed as part of the Chrome 71 release in December 2018.<ref>{{Cite web|url=https://blog.chromium.org/2018/06/improving-extension-transparency-for.html|title=Improving extension transparency for users|website=Chromium Blog|language=en|access-date=2018-12-15}}</ref><ref>{{Cite web|url=https://www.bleepingcomputer.com/news/security/chrome-extension-devs-use-sneaky-landing-pages-after-google-bans-inline-installs/|title=Chrome Extension Devs Use Sneaky Landing Pages after Google Bans Inline Installs|website=BleepingComputer|language=en-us|access-date=2018-12-15}}</ref><ref>{{Cite web|url=https://www.ghacks.net/2018/10/11/chrome-inline-extensions-install-bypass/|title=Chrome's inline extension install ban already bypassed - gHacks Tech News|website=www.ghacks.net|access-date=2018-12-15}}</ref>
== References ==
{{reflist}}
[[Category:Web browsers]]
[[Category:Application programming interfaces]]
| 