I was playing around with the Chrome 89 dev version and also I was looking at the updated documentation and it seems that in Manifest v3 you can no longer have optional host permissions, because they can only be specified in the `host_permissions` key.
While I totally understand why this is nice to have at the same time I can see how this limits the extension authors and also probably even making the extensions less secure for the users.
Not being able to specify the wildcard `*://*/` origin as optional permissions, leaves you with just two options:
- Either add it under `host_permissions` with all of its negatives, such as: alarming consent message, exposing your users to malware by default, flagging your extension as dangerous and needing a review
- Or otherwise not having that functionality at all, because in this case you can no longer request any origin dynamically, and also the built-in UI in chrome for managing site access doesn't give you any options
I think one possible way to solve this without changing anything in manifest v3 is to enable the file access UI in chrome always and in cases where the extension does not specify the wildcard host permissions by default just set it to no access or something like that.
This will allow the user to install the extension without any site access, but later on enable certain origins.
Otherwise in its current state the extension author have to specify the `*://*/` wildcard host permission, the user have to consent - open up to vulnerabilities, and only then we can hope that the user will go to the site access UI and explicitly set access to specific sites, or just
http://localhost to disable the access to all that might not be needed.
It's just backwards.
Hope that makes sense.