In the last few weeks, I developed a DeepL translation extension for platforms that support WebExtension, but one Firefox's meaningless restriction really annoys me.
Issue
To display translated text, a dialog must be shown. since I want to let the extension uses platform native look and feel there are only two options left for me:
Beacuse users may also want to copy some of the text, the browser.notifications API can't be used, it also unable to display large amount of text well, alert API doesn't have these problems at all, so it's the prefect choice.
It works prefectly fine on Chromium-based browsers. however, Firefox breaks it.
alert() is not supported in background windows; please use console.log instead.In this bugzilla comment, that person also indicates that this is intentional.
Mozilla's Resolution
UX
This restriction makes UX worse. on Chromium-based Browsers, alerts opened by extensions has title set to the extension name, like this:
╭────────────────────────────────╮
│ Example Extension │
│ │
│ Hello, World! │
│ OK │
╰────────────────────────────────╯This gives users clear indication that which extension is showing these alerts, if any extension is behaving badly, users can remove it with this type of information.
Now to show alerts on Firefox, extension developers not only need to request activeTab and/or tabs permission, and using browser.tabs.executeScript API to execute alerts on the tab, the alerts also behave differently:
╭────────────────────────────────╮
│ example.com says │
│ │
│ Hello, World! │
│ OK │
╰────────────────────────────────╯Now users can't get any indication of which extension is showing these alerts.
So much for the UX!
Process
That bugzilla bug report originaly is about alert doesn't work in background pages, but it's marked as "FIXED" even it's not fixed at all (replace an error with a warning is not a fix)!
When someone asked about that, their "needinfo" request is removed immediately without any explanation.
So much for the respect of the community!
New Issue
Security
browser.tabs.executeScript is basically a wrapped eval, and everyone know using eval is bad, right?
There are also at least 2 Stack Overflow answers ([0] [1]) suggesting using it without warn about it's dangerous!
Since browser extensions can do more that a unprivileged web page, this is even more dangerous.
Performance
The security issue can be mitgated by for example, convert the string to unicode codes, but it makes the performance worse by doing unnecessary convertions.
Resolution
Mozilla, please don't do meaningless or even harmful restrictions to "protect" users, it makes everyone's life more difficult.