#1138: [wg/webextensions] Web Extensions Working Group

Visit on Github.

Opened Aug 15, 2025

This issue was created because the 'horizontal review requested' label was added to § https://github.com/w3c/strategy/issues/146

This review is requested prior to the Advisory Committee Review.

New charter proposal, reviewers please take note.

Charter Review

Charter

diff from charter template

Expected end of charter refinement phase: second half of September

(CG) chair dashboard

What kind of charter is this? Check the relevant box / remove irrelevant branches.

  • New
  • New WG

Communities suggested for outreach

This came from the WebExtensions CG itself. Given the wide market for browser extensions, outreach could be large...

Known or potential areas of concern

This will significantly increase our work area, in particular in horizontals: a11y, security, and privacy. Those experts are already stretched...

Anything else we should think about as we review?

cc @xeenon @dotproto

The Web Extensions draft spec has been developed in a W3C CG Browser Extension CG and is being implemented but not harmoniously, apparently.

Why isn't there a Working Group for this work and what is the REC track plan for Web Extensions? Or, what's the alternative to this spec?

Charter facilitator(s)

cc @plehegar

<!-- Content below this is maintained by @w3c-tag-bot -->

Track conversations at https://tag-github-bot.w3.org/gh/w3ctag/design-reviews/1138

Discussions

Log in to see TAG-private discussions.

Discussed Sep 1, 2025 (See Github)

Sarven: Review https://github.com/w3ctag/design-reviews-private-brainstorming/issues/193#issuecomment-3244825170

Matthew: APA has looked at this. I do think that this group seems to have been responsible for some positive change, so getting people into a working group is a good thing. They have adopted a novel-for-w3c approach, because they have consensus around differences. Aim to smooth those over eventually. Not sure if the CG will be kept (might be mentioned in charter). We might have an opinion about that, might say that keeping the CG is good. Not sure what else APA said.

Sarven: The charter does indicate coordination with the CG. A bit more specifically on deliverables, there were discussions from PLH (seemed uncertain?) definitely keeping the spec in CR snapshot. They anticipate changes constantly. They don't want to go to REC and have a final cutoff. That was their consensus. I didn't get much about what the coordination would look like, but presume that ... they have a good scope and only mention two deliverables. if the group thinks they need more specs, they will recharter to take more work on. The CG will intubate and add work to the charter as they go. That's based on inference from discussion and charter. ... There were concerns around manifest v3. Didn't dig too deeply, but there are differences in views between browsers. Highlighted in the review. If the CG has incubation experience, then whatever the version is arrived at, then the working group can take that on. Not a TAG call so much. What I thought was more important was to talk about threat models and trust models. There is the idea that CR is active, so they should have a threat modeling exercise and publish that as they go. Implementation experience shows authentication is a challenging part and it needs to be clearer how extensions are authenticated alongside other authentication methods on the platform. Parts might be from FedCM. They might need to iron that out. The point is not to come up with an authentication mechanism, but clarify it in their output.

Martin: Ask for clarification about authentication.

Sarven: Depending on the authentication with remote storage, how would an extension be identified? How might it be authorized to make requests and how would servers authorize requests from extensions? ... Dokieli is an application I work on, it also works as an extension. The feature to annotate webpages, enables the user to store annotations in their preferred storage. users need to authenticate to the extension, so the extension knows about storage and then have the storage system know that the client is authorized to write to that space. That depends on the authentication mechanism. Lots of question marks there.

Matthew: I found APA minutes. +1 to Sarven (on something). APA we did have some things we would want to check and review in the deliverables, but the charter seemed good. One thing is that they work closely with other groups, liaisonization, etc.. Might be good for threat modeling. Simeon, who might be a chair, contacted APA chairs if there was anything we would like to see included. We thought it was fine for us to do horizontal review of deliverables. There might be other groups where that needs to be clear. In terms of threat modeling and S&P, Ehsan's speciality, so we might file issues as interested individuals. On manifest v3, I do agree with Sarven that this is such a big change that this is not going to get consensus, which will cause fragmentation. The group has addressed this by acknowledging the issue and keeping awareness of it. I don't know if they are going to reconcile or just document differences. My own extension used to be a lot better, now you can't run the same code on all browsers. This group is a positive force for fixing that.

Lola: Can we thumbs up Sarven's document, or do you want to add some stuff? ... Did you want to mention authentication.

Sarven: Want to check with Christian? Did this capture the concerns you had?

Christian: It's fine, we could maybe just merge our comments into one. I wrote one as well. Combined would be good.

Sarven: We could merge, but I didn't feel comfortable with the text you had in the first two paragraphs. Do we need to repeat what the charter says?

Lola: Suggest Christian and Sarven work together on a resolution.

Comment by @csarven Sep 5, 2025 (See Github)

https://github.com/w3c/strategy/issues/146#issuecomment-3257447876