We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

“Access your data for all websites” permission extensions can save the data on their server?

  • 7 replies
  • 1 has this problem
  • 7 views
  • Paskiausią atsakymą parašė Wesley Branton

more options

An extension that has the “Access your data for all websites” permission, can transmit all the data from all websites visited on my browser to their server so to know what credit card I entered on a website or what type of porn do I watch?

How can I check and be sure that it transfer the data or not?

An extension that has the “Access your data for all websites” permission, can transmit all the data from all websites visited on my browser to their server so to know what credit card I entered on a website or what type of porn do I watch? How can I check and be sure that it transfer the data or not?

All Replies (7)

more options

Theoretically, yes. However, most extensions don't do that. They simply need that permission to be able to access certain data.

For example, I made an add-on that blocks websites. I have to include the "Access your data for all websites" permission in my add-on so that I can see what websites the user is loading so that it can be compared to a list of websites that they want to block. Most ad blockers need the same permission for that reason.

That said, sure, there could be some that are transferring data (personal or statistical) to their own servers for their own uses. Detecting that would typically require you to use some kind of network traffic inspection tool like Wireshark to monitor and view what traffic is going over your network.

A far simpler idea would be to avoid extensions that aren't widely trusted and review the privacy policies of add-ons before you install them.

more options

Hi cucurucu, developers who send data out of the browser are supposed to provide a Privacy Policy, which would be linked on the left side of the page on the Add-ons site or in the description. Of course, this assumes the developer is following the rules, so...

more options

Wesley Branton said

Theoretically, yes. However, most extensions don't do that. They simply need that permission to be able to access certain data. For example, I made an add-on that blocks websites. I have to include the "Access your data for all websites" permission in my add-on so that I can see what websites the user is loading so that it can be compared to a list of websites that they want to block. Most ad blockers need the same permission for that reason. That said, sure, there could be some that are transferring data (personal or statistical) to their own servers for their own uses. Detecting that would typically require you to use some kind of network traffic inspection tool like Wireshark to monitor and view what traffic is going over your network. A far simpler idea would be to avoid extensions that aren't widely trusted and review the privacy policies of add-ons before you install them.

It's not possible to implement a system which let the extensions access all the data on websites but to use that data only on the client-side on the local machine, restricting the possibility to send data out on external servers?

more options

Theoretically, you could. You would just need to know where the data is being sent to (via a network monitor) so that you can block it using a firewall or something. However, that could break some add-ons.

more options

cucurucu said

It's not possible to implement a system which let the extensions access all the data on websites but to use that data only on the client-side on the local machine, restricting the possibility to send data out on external servers?

Currently, if an extension has the ability to modify the page, it can inject HTML, CSS, and JavaScript code to do anything the site could do, including images requests, background data communication, and modifying links. I don't know whether there would be a way to restrict what can be done in the page to prevent all scenarios for exfiltration of data.

The Add-ons site uses screening tools that detect certain patterns associated with exfiltrating data, but software is only so smart, so often human review is necessary to catch bad extensions.

more options

My main worry is that the above mentioned private information gathered by these extensions is passed along to any of the big tech companies like Google, Facebook, Twitter or to third parties unknown to me Modzilla. In my opinion the permissions (potentially) totally negate the reasons for me to use Firefox in the first place. This type of data leak emanating from an extension is equivalent to what happened to Facebook data by Cambridge Analytica!!!

more options

You just need to be mindful of the extensions that you are adding to Firefox. Make sure that they are trustworthy and that you read the privacy policy for them (if any). Many developers are open about why they need certain permissions. Certain extensions just can't function without that permission.