BrowserExtension icon indicating copy to clipboard operation
BrowserExtension copied to clipboard
verified publisher icon SteamDatabase

Required data collection: Website content (Mandated by Mozilla - `data_collection_permissions`)

Open denilsonsa opened this issue 1 month ago • 6 comments

Today Firefox showed a notice that the new version of the SteamDB extension is requiring a new permission:

Required data collection, according to the developer:

  • Website content

I looked at several places to understand what that means for this extension:

  • https://steamdb.info/extension/
  • https://steamdb.info/extension/privacy/
  • https://addons.mozilla.org/en-US/firefox/addon/steam-database/
  • "Release notes" mini-tab inside the SteamDB extension management page, inside about:addons in Firefox.
  • https://github.com/SteamDatabase/BrowserExtension/issues?q=is%3Aissue
  • https://github.com/SteamDatabase/BrowserExtension/tree/master/assets
  • https://github.com/SteamDatabase/BrowserExtension/commits/master/
  • https://github.com/SteamDatabase/BrowserExtension/commits/master/manifest.json

Finally, I found a GitHub comment inside a commit from one month ago. That was awfully difficult to find.

I think this should be better explained in some text somewhere. Even more so because this extension explicitly says it does collect website data in the manifest, which contradicts the Privacy Policy.

In other words, this issue here isn't about code bugs, but a request to please have beter communication regarding this subject. Thank you!

denilsonsa avatar Nov 27 '25 09:11 denilsonsa

The problem is that Firefox is forcing this field to be specified, and my understanding from reading their own documents that websiteContent would be "implicit consent", but it clearly wasn't.

Nothing actually changed. I specified websiteContent because that's what seems the extension seems to fall under because it does process things like the Steam userdata to highlight the things on your wishlist.

https://extensionworkshop.com/documentation/develop/firefox-builtin-data-consent/#specifying-data-types

It seems like the wording is now "only for new extensions", maybe I should just revert that commit and publish a new version? Mozilla is not clear on this at all.

xPaw avatar Nov 27 '25 09:11 xPaw

I agree, their wording is a bit ambiguous.

To use Firefox's built-in consent experience, you have to specify what data your extension collects or transmits in the extension’s manifest.json file.

(emphasis mine)

What does it mean? An extension the locally inspects the page and modifies some data without ever transmitting it to elsewhere… Does that fall under "collect" but not "transmit"? Does that mean it should request that permission? But then the dialog says something that can be understood that the developer is collecting this information, that the extension is sharing this information with the developer. So, that means the wording should have been "collects AND transmits" instead.

Indeed, this is confusing. For both end-users and developers.

denilsonsa avatar Nov 27 '25 09:11 denilsonsa

I was being conservative and understood "collection" as any possible data, which in this extension specifically means "transferring" things like the appid of a game you are viewing to fetch the lowest price, online stats, last update.

The code that is being uploaded to AMO is 1:1 to what is on GitHub, as we don't even use any building/minification, so you can verify the code yourself.

Like I found this in news, outside of Mozilla's own messaging:

The organization has committed to mandating adoption across all extensions during the first half of 2026, though advance notification will precede this transition.

So like even I reverted this change, it would become mandatory in the future anyway.

xPaw avatar Nov 27 '25 09:11 xPaw

Well, reading the documentation and investigating this issue didn't bring me any answers, but rather a lot of more questions. I decided to go ahead an open an issue on mozilla/addons repository: https://github.com/mozilla/addons/issues/15945

denilsonsa avatar Nov 27 '25 10:11 denilsonsa

By the way to clarify further, this "permission" does not actually give any extra access to the extension, this is purely an informational invention of Mozilla.

xPaw avatar Nov 28 '25 08:11 xPaw

If anyone wonders what the user experience of this is:

Image Image

The link leading to https://support.mozilla.org/en-US/kb/permission-request-messages-firefox-extensions?as=u&utm_source=inproduct, which is a generic-ass article that does not even mention website content anywhere.

I love how the general consensus is "nothing has changed, Mozilla added this text to confuse users".

Meanwhile on the addon page:

Required data collection, according to the developer:

Website content

Some software and browser addons will explain the rationale behind required permissions, especially when the scope of the permission goes beyond of what is actually used.

May I suggest updating the addon description with something like this?

Required permissions

  • A - the extension needs it to do B
  • X - for Y
  • Website content - Mozilla requires us to declare this because the addon is directly accessing website content. For people confused by the update notification requiring new permissions, nothing has changed in regards of how the addon is working and we still don't collect any data from users.

Obviously use your wording, just wanted to depict what I mean.

terax6669 avatar Dec 09 '25 12:12 terax6669

v4.30 reverts this field, which was just approved by Mozilla.

No reason to keep this listed until they figure out what the hell they are doing or it becomes forced.

xPaw avatar Dec 15 '25 11:12 xPaw