Merge pull request #796 from w3c/meeting-2025-03-27

Rob--W · web-flow · commit 8d54ea7f4968 · 2025-04-10T18:07:42.000+02:00
Publish minutes of 2025-03-27 meeting
diff --git a/_minutes/2025-03-27-wecg.md b/_minutes/2025-03-27-wecg.md
@@ -0,0 +1,162 @@
+# WECG Meetings 2025, Public Notes, Mar 27
+
+ * Chair: Simeon Vincent
+ * Scribes: Rob Wu
+
+Time: 8 AM PDT = https://everytimezone.com/?t=67e49500,384
+Call-in details: [WebExtensions CG, 27th March 2025](https://www.w3.org/events/meetings/0090c842-271b-4194-b93e-9d401d07af5e/20250327T080000/)
+Zoom issues? Ping @zombie (Tomislav Jovanovic) in [chat](https://github.com/w3c/webextensions/blob/main/CONTRIBUTING.md#joining-chat)
+
+
+## Agenda: [discussion in #781](https://github.com/w3c/webextensions/issues/781), [github issues](https://github.com/w3c/webextensions/issues)
+
+The meeting will start at 3 minutes after the hour.
+
+See [issue 531](https://github.com/w3c/webextensions/issues/531) for an explanation of this agenda format.
+
+ * **Announcements** (2 minutes)
+ * **Triage** (15 minutes)
+   * [Issue 782](https://github.com/w3c/webextensions/issues/782): Why does DNR modifyHeaders require host permissions?
+   * [Issue 784](https://github.com/w3c/webextensions/issues/784): Handling of empty background script definitions
+   * [Issue 785](https://github.com/w3c/webextensions/issues/785): Proposal: create \_generated_service_worker.js based on background.scripts
+   * [Issue 786](https://github.com/w3c/webextensions/issues/786): Proposal: Allow extension contexts to set forbidden headers in fetch() API
+   * [Issue 787](https://github.com/w3c/webextensions/issues/787): extension API availability in extension frames embedded on third party websites
+   * [Issue 790](https://github.com/w3c/webextensions/issues/790): Proposal: browser.permissions.isAccessible()
+   * [Pull 793](https://github.com/w3c/webextensions/pull/793): Add proposal: Synchronous data at startup
+   * [Pull 779](https://github.com/w3c/webextensions/pull/779): Sidepanel lifecycle events proposal
+   * [Pull 791](https://github.com/w3c/webextensions/pull/791): Add trial_tokens key to specification
+   * [Pull 792](https://github.com/w3c/webextensions/pull/792): Proposal: runtime.onInvalidated event
+ * **Timely issues** (10 minutes)
+ * **Check-in on existing issues** (20 minutes)
+
+
+## Attendees (sign yourself in)
+
+ 1. Rob Wu (Mozilla)
+ 2. Simeon Vincent (Mozilla)
+ 3. Oliver Dunk (Google Chrome)
+ 4. Devlin Cronin (Google Chrome)
+ 5. Simeon Vincent (Mozilla)
+ 6. Tomislav Jovanovic (Mozilla)
+ 7. Carlos Jeurissen (Jeurissen Apps)
+ 8. Mukul Purohit (Microsoft Edge)
+ 9. Timothy Hatcher (Apple)
+ 10. Maxim Topciu (AdGuard)
+ 11. David Tota (AdGuard)
+ 12. Kiara Rose (Apple)
+ 13. Casey Garland (Capital One)
+ 14. Jordan Spivack (Capital One)
+ 15. Krzysztof Modras (Ghostery)
+ 16. Jan (Tampermonkey)
+ 17. Oleksii Levzhynskyi (Grammarly)
+ 18. Giorgio Maone (Tor, NoScript)
+ 19. Aaron Selya (Google)
+ 20. Rishik Ramena (Microsoft Edge)
+ 21. David Johnson (Apple)
+ 22. Mostafa Aboalkasim (Individual)
+
+
+## Meeting notes
+
+[Issue 782](https://github.com/w3c/webextensions/issues/782): Why does DNR modifyHeaders require host permissions?
+
+ * [simeon] The direct answer to the title question is that not all modifications can be made without user consent.
+ * [rob] Can we close this, or is there a reason for keeping this open?
+ * [timothy] Agreed with closing it.
+
+[Issue 784](https://github.com/w3c/webextensions/issues/784): Handling of empty background script definitions
+
+ * [carlos] What should the behavior be when background.scripts is empty, or background is an empty object.
+ * [oliver] Don't feel too strongly about a soft warning.
+ * [rob] Does Chrome allow background with empty object?
+ * [timothy] I think we will complain with a warning but not an error.
+ * [carlos] I can submit a patch to turn the error into a warning.
+ * [rob] I'd approve that.
+ * [timothy] And I'll file an internal issue for what you mentioned in the issue.
+
+[Issue 785](https://github.com/w3c/webextensions/issues/785): Proposal: create \_generated_service_worker.js based on background.scripts
+
+ * [carlos] This was originally proposed in the issue on preferred_environment. Wondering whether this is something browsers are in favor of.
+ * [oliver] I added “opposed” because when we discussed this in the past, there were concerns about confusion.
+ * [devlin] Sufficient potential for confusion to not want this.
+ * [carlos] Safari successfully implemented this.
+ * [devlin] I can see the value when we have different background definitions.
+ * [oliver] Another use case is when an extension has a library dependency.
+ * [simeon] I hear the argument about not being wild about magic behavior. When I started, while it was surprising for a page to magically exist, it was also more ergonomic.
+ * [devlin] See the value of doing this to support the same extension across multiple browsers.
+ * [simeon] Thoughts from Firefox?
+ * [rob] We support `type=”module”` for event pages and we don't support service workers.
+ * [krzysztof] It's a one-time issue that developers would have encountered during migrations. But the request is to improve this so individuals don't have to discover and implement their own workarounds.
+ * [rob] I'm neutral.
+ * [devlin] Also neutral.
+ * [rob] Does that mean that if someone were to submit a patch, that you would be willing to accept it?
+ * [devlin] … sure.
+ * [oliver] Timothy, can you clarify Safari behavior?
+ * [timothy] If it's just scripts, it's a background page. If you specify `”preferred_envrionment”: “service_worker”`, it is a service worker based on `service_worker` (or auto-generated from `scripts` if `service_worker` is absent).
+
+[Issue 786](https://github.com/w3c/webextensions/issues/786): Proposal: Allow extension contexts to set forbidden headers in fetch() API
+
+ * [oliver] Other spec authors are seeking official support before proceeding.
+ * [devlin] Intent is to only expose this in a trusted execution environment.
+ * [timothy] Makes sense.
+ * [rob] When I asked about this internally, the only question was about availability in content scripts, and to that I replied that we only want to support this in a privileged extension context, NOT content scripts.
+ * [oleksii] Why do we want to update a web spec?
+ * [devlin] For context, there have been a number of times where developers have said “it would be nice if I could do X” where X is 98% like an extension web API, but with a specific, slightly different behavior for extensions. We don't want to reinvent the wheel.
+ * [jan] What is the timeframe for having this feature?
+ * [devlin] Right now we are at whether we can even do this, whether the open web platform is willing to accept this.
+ * [oliver] Feedback I have heard from extension developers is whether Origin can also be spoofed, since some extensions rely on that.
+ * [rob] In Firefox we require extensions to have the permission for domain specified in the Host request header; could require something similar for extension origins.
+
+[Issue 787](https://github.com/w3c/webextensions/issues/787): extension API availability in extension frames embedded on third party websites
+
+ * [carlos] Behavior of browser is inconsistent when it comes to extension API availability in extension frames. In Chrome it is available.
+ * [rob] Historically Chrome had Firefox's behavior, until they implemented Site Isolation, where these frames are hosted in the extension process.
+ * [tomislav] May break existing extensions. I think that Safari has one process per tab, so they could not do it securely either.
+ * [timothy] Yes, working on multiple processes though.
+ * [carlos] Ok, so extension pages should communicate with the background pages.
+
+[Issue 790](https://github.com/w3c/webextensions/issues/790): Proposal: browser.permissions.isAccessible()
+
+ * [carlos] Extension can have permissions for specific websites, but they cannot act on the Chrome Web Store because it is a privileged page. My proposal is to have a method that returns whether the extension can access the origin.
+ * [tomislav] I have had this idea as well; someone asked whether it can be available synchronously, and the answer is no. Useful, but can potentially leak user information.
+ * [devlin] I don't think that it leaks info, an extension can already leak information.
+ * [rob] Different levels of access: sending network requests, reading the URL, being able to inject a script. Extension can already check this. What's the benefit to having an API for this?
+ * [carlos] Avoid side effects.
+ * [devlin] I'm hesitant about advising devs try to do things and
+ * [rob] On the name, should not be “isAccessible” due to potential confusion with the “accessibility” concept.
+ * [carlos] Sounds like it should be async
+ * [oleksii] If it is not solely dependent on permissions, should it belong somewhere else than the “permissions” namespace.
+ * [devlin] The point of this is it's not just checking the extension permissions
+ * [timothy] Should this be on the permissions namespace?
+ * [devlin] I'd put it there. It ties it into the concept of permissions.
+ * [oliver] Would it be useful to support `tabId`, `frameId`, `documentId`.
+ * [timothy] We should handle `tabId`, since `activeTab` can affect the answer per tab.
+ * [devlin] Naming, would prefer to avoid “origin” in the name. Want to be able to support other use cases. Would want to return an object rather than a boolean.
+
+[Pull 793](https://github.com/w3c/webextensions/pull/793): Add proposal: Synchronous data at startup
+
+ * [rob] There have been several use cases where extensions want to initialize state and synchronously access it later. This proposal addresses content scripts (the initial use case)
+ * [simeon] How is data handled across extension updates?
+ * [rob] Doesn't persist by default, but there's a setting to control this
+ * [giorgio] [Proposal has two major limitations](https://github.com/w3c/webextensions/pull/793#issuecomment-2758503261): can't tell if configuration for a tab is applicable to a script and configuration per site isn't covered.
+ * [rob] Per-site configurations can be supported by the extension including the site in the key name. By design, the values are lazily deserialized.
+ * [rob] I'll respond asynchronously on the issue because of time constraints.
+ * [rob] Anyone interested - please state how much quota you'd like to have.
+ * [oliver] Since there aren't ancestor origins in Firefox, may be difficult to target settings for a site.
+ * [rob] Willing to consider exposing the top's origin through an extension API, since the privacy concerns around location.ancestorOrigins may not be a concern in the extension scenario.
+
+[Pull 779](https://github.com/w3c/webextensions/pull/779): Sidepanel lifecycle events proposal
+
+ * [rishik] Created a proposal based on previous discussion. Currently have onCreated and onClosed events.
+ * [oliver] For clarity, the problem with onClosed vs onHidden is that (at least previously, I think still) we sometimes keep extension pages used in a side panel in memory even when it is no longer showing to the user. In that case, do we fire onClosed or not? Similarly, do we fire onOpen if the user opens a side panel not associated with this extension?
+ * [devlin] I think we can have both onClosed and onHidden.
+
+[Pull 791](https://github.com/w3c/webextensions/pull/791): Add trial_tokens key to specification
+
+ * []  (skipped, out of time)
+
+[Pull 792](https://github.com/w3c/webextensions/pull/792): Proposal: runtime.onInvalidated event
+
+ * [] (skipped, out of time; already discussed during the face-to-face)
+
+The next meeting will be on [Thursday, April 10th, 8 AM PDT (3 PM UTC)](https://everytimezone.com/?t=67f70a00,384). Europe Daylight saving time ends on March 30th, so for those in Europe the meeting has returned to 5 PM instead of 4 PM.
diff --git a/_minutes/README.md b/_minutes/README.md
@@ -11,23 +11,24 @@ After the end of each meeting, meeting notes are published here.
 ## Upcoming meetings
 
 - 2025-03-25 until 2025-03-28, face-to-face meeting in Berlin ([issue 759](https://github.com/w3c/webextensions/issues/759))
-- 2025-03-27 at 8 AM PDT = https://everytimezone.com/?t=67e49500,384
 - 2025-04-10 at 8 AM PDT = https://everytimezone.com/?t=67f70a00,384
+- 2025-04-24 at 8 AM PDT = https://everytimezone.com/?t=68097f00,384
 
 ## Past meetings
 
+* 2025-03-27 ([minutes](2025-03-27-wecg.md))
 * 2025-03-13 ([minutes](2025-03-13-wecg.md))
 * 2025-02-27 ([minutes](2025-02-27-wecg.md))
 * 2025-02-13 ([minutes](2025-02-13-wecg.md))
 * 2025-01-30 ([minutes](2025-01-30-wecg.md))
 * 2025-01-16 ([minutes](2025-01-16-wecg.md))
-* 2024-12-19 ([minutes](2024-12-19-wecg.md))
 
 <details>
 <summary><strong>All past meeting notes</strong></summary>
 
 **2025**
 
+* 2025-03-27 ([minutes](2025-03-27-wecg.md))
 * 2025-03-13 ([minutes](2025-03-13-wecg.md))
 * 2025-02-27 ([minutes](2025-02-27-wecg.md))
 * 2025-02-13 ([minutes](2025-02-13-wecg.md))
