Currently, declarativeNetRequest has 2 extremes:
1. not being able to block any URLs, by simply not requesting the declarativeNetRequest permission. chrome.declarativeNetRequest returns undefined in the background page/service worker in this case.
2. being able to block any URLs from any origin by any initiator, by requesting the declarativeNetRequest permission, which tells the user the extension will be able to "block content on any page you visit". Additionally, redirect and modifyHeaders capabilities can be used if host permissions are available for those origins.
This might make sense at the first glance, but is flawed for many use cases where a host permission is inherently necessary, and specially when we take modifyHeaders into account.
Let's say I have an extension that uses the chrome.alarms API in the background service worker to periodically check if the user has unread notifications in
example.com by fetching
example.com/api/notifications every 1 minute, and uses chrome.notifications for telling the user there's new notifications.
It is clear that my extension requires the host permission to work, and cannot be converted to some other permission model, such as activeTab.
At this point, this extension requires a host permission for `
https://example.com/*` and a required `notifications` permission. I am aware that soon, host permissions will be "optional by default", so in the future my extension would need to prompt the user to enable the host permission just after install. I want to make it clear that whether host permissions are enabled on install or not does not change the point I am about to make.
Let's say I want
example.com/page1 to redirect to
example.com/page2. This can be done with a content script, but it would redirect faster to use DNR, and would provide a better experience. Even though my extension already has a host permission for
example.com, which is both the initiator and origin of the request, I cannot use DNR unless I explicitly request the declarativeNetRequest permission. But if I request that permission, I could now theoretically... block images with src `
https://img.service.example/*` from loading on Reddit? And by using DNR I am required to ask extension users to please let the extension "block content on any page you visit". This was not the case with webRequestBlocking. I would probably just use a JS based redirect and provide a worse experience, otherwise, I'd need to explain to my users that I need to block content to provide a redirect, which is a weird thing to say.
Let's now say
example.com updated their security and returns 403 for URL
example.com/api/notifications unless the Referer header is set to `
https://example.com/notifications`. With webRequestBlocking, modifying headers for a origin requires host permissions for it. DNR has that same requirement *and* also requires you request the declarativeNetRequest permission in the manifest.
So, same problem as above. I need to choose between having a non functioning extension by not requesting the permission for DNR, or I need to ask for excessive permissions and explain the user why I'm asking to block content on _any_ page they visit.
There are tons of situations where host permissions are required for an extension to minimally work, mostly because of security HTTP headers. If the extension already has host permissions for the initiator and the origin (or if the initiator is the background service worker), why does the extension need to ask for excessive permissions?
This problem is more important for extensions that already existed before DNR existed, excluding general content blockers. Content blockers are trading <all_urls> for declarativeNetRequest, which is great!
But extensions that have always needed and will always need a specific host permission to minimally work, are in a strange situation. They can continue to run arbitrary JavaScript in those websites, but they cannot block, redirect or modify headers without requesting excessive permissions. WRB did allow them to do this, so inevitably, these extensions will try to delay their migration to manifest V3 as long as possible. For these extensions, DNR removes no permissions, but it adds one. Even if you're doing the same thing as you were previously doing with WBR (e.g. spoof Referer header), because of the current design of DNR, you'll need to tell users "whoops, we can now block any content, but we promise not to".
DNR has been out for a while, but unless something is done about this, I bet we'll see lots of extensions rushing to update to manifest V3 before the deadline, having no other option but to request blocking capabilities when all they need is spoofing Referer, Origin or X-Frame-Options headers for them to work.