Merge pull request #857 from w3c/meeting-2025-07-31

Rob--W · web-flow · commit 5fc5b6122639 · 2025-08-13T18:39:05.000+02:00
Publish minutes of 2025-07-31 meeting
diff --git a/_minutes/2025-07-31-wecg.md b/_minutes/2025-07-31-wecg.md
@@ -0,0 +1,175 @@
+# WECG Meetings 2025, Public Notes, Jul 31
+
+ * Chair: Simeon Vincent
+ * Scribes: Rob Wu
+
+Time: 8 AM PDT = https://everytimezone.com/?t=688c0380,384
+Call-in details: [WebExtensions CG, 31st July 2025](https://www.w3.org/events/meetings/43e4fb8e-4736-445c-b051-2383ffeef033/20250731T080000/)
+Zoom issues? Ping @zombie (Tomislav Jovanovic) in [chat](https://github.com/w3c/webextensions/blob/main/CONTRIBUTING.md#joining-chat)
+
+
+## Agenda: [discussion in #854](https://github.com/w3c/webextensions/issues/854), [github issues](https://github.com/w3c/webextensions/issues)
+
+The meeting will start at 3 minutes after the hour.
+
+See [issue 531](https://github.com/w3c/webextensions/issues/531) for an explanation of this agenda format.
+
+ * **Announcements** (2 minutes)
+   * [Issue 843](https://github.com/w3c/webextensions/issues/843): TPAC registration is open, we have ~12 hours of[ meeting time scheduled](https://github.com/w3c/webextensions/issues/843#issuecomment-3140015582) across Monday and Thursday.
+ * **Triage** (15 minutes)
+   * [Issue 849](https://github.com/w3c/webextensions/issues/849): Inconsistency: native messaging size limit
+   * [Issue 855](https://github.com/w3c/webextensions/issues/855): Proposal: Clarify the scale parameter for tabs.captureVisibleTab
+   * [Issue 856](https://github.com/w3c/webextensions/issues/856): Inconsistency: browser.downloads.download API can ignore file name extension if MIME is known type
+ * **Timely issues** (0 minutes)
+   * N/A
+ * **Check-in on existing issues** (20 minutes)
+   * [Issue 762](https://github.com/w3c/webextensions/issues/762): DNR: Add excludedTopFrameDomains (and topFrameDomains) ([@lenacohen](https://github.com/lenacohen))
+   * The outstanding comment from Oliver on https://github.com/w3c/webextensions/pull/837 and see if Apple can take a look.
+ * **Open discussion**
+   * PSA: A German appeals court is considering whether to ban adblockers on the grounds that they are creating derivative works of webpages.
+   * [Issue 616](https://github.com/w3c/webextensions/issues/616): Content script injection inconsistencies in the sidePanel
+   * DNR / Content Script compatibility with non-tab contexts (such as sidebars) (Maone)
+   * [PR 852](https://github.com/w3c/webextensions/pull/852#discussion_r2225631737): WPT update, also quick assertTrue discussion
+   * [Issue 116 comment](https://github.com/w3c/webextensions/issues/116#issuecomment-3032442917): Proposal: stop adding `host_permissions` from `content_scripts`
+   * [Pull 799 comment](https://github.com/w3c/webextensions/pull/799#discussion_r2080111012): Add `browser.permissions.canAccess()` proposal
+
+
+## Attendees (sign yourself in)
+
+ 1. Rob Wu (Mozilla)
+ 2. Simeon Vincent (Mozilla)
+ 3. Tomislav Jovanovic (Mozilla)
+ 4. Devlin Cronin (Google)
+ 5. Giorgio Maone (NoScript, Tor)
+ 6. Timothy Hatcher (Apple)
+ 7. Kiara Rose (Apple)
+ 8. Lena Cohen (Privacy Badger, EFF)
+ 9. Carlos Jeurissen (Jeurissen Apps)
+ 10. Harsh Singh (Google Summer of Code)
+ 11. Jordan Spivack (Capital One)
+ 12. David Vaisbrud (LayerX)
+ 13. Mukul Purohit (Microsoft)
+
+
+## Meeting notes
+
+[Issue 843](https://github.com/w3c/webextensions/issues/843): TPAC registration is open, we have ~12 hours of [meeting time scheduled](https://github.com/w3c/webextensions/issues/843#issuecomment-3140015582) across Monday and Thursday.
+
+ * [simeon] TPAC registrations are open. The meeting schedule is also published; we have 12 hours of meeting time split over Monday and Thursday.
+
+[Issue 849](https://github.com/w3c/webextensions/issues/849): Inconsistency: native messaging size limit
+
+ * [simeon] Didn't we discuss this last time?
+ * [rob] Chrome's perspective was missing; also in the meantime additional discussion happened on the issue.
+ * [simeon] The author is asking for browsers to provide chunking so that native messaging limits are not exposed to extensions.
+ * [rob] That's an assumption on the implementation, and not necessarily the technical reason.
+ * [simeon] They'd like a higher limit.
+ * [rob] 1 MB can be higher, but what limit would be good enough?
+ * [devlin] Heard of use case like JSON-encoding a video, in which case 64 MB is too small. Realistic use cases also include password stores, which could be large, and 1 MB would be too small. We could bump to 64 MB, and also have other ways to overcome IPC limits. But as the native messaging implementation is not optimal, we're concerned about the impact. And size limitations discourages using native messaging for these data-intensive use cases. Recommend using localhost & web transport mechanisms instead.
+ * [rob] Aren't browsers locking down localhost access?
+ * [devlin] Arguably, but this is in extensions. On the web the ability to run a native application is a sandbox escape, but it's acceptable in extensions.
+ * [rob] Requires a server to be continuously running, a bit different than dropping a file in a location and letting the browser launch it.
+ * [devlin] Mostly just trying to say that I'm not convinced increasing the native messaging limit is the right path.
+ * [rob] Are we willing to raise the limit from 1 MB (native app-to-browser) and 64 MB (browser-to-native app) or possibly higher?.
+ * [devlin] Hesitant to raise beyond 64 MB because copying string buffers larger than that is nontrivial and has performance implications.
+ * [rob] 64 MB is a reasonable limit from extensions to native messaging host, but the opposite direction is 1MB. Are we in favor of raising that limit to 64 MB?
+ * [devlin] Have to look into why we are at 1 MB, but in principle amendable to raising the limit to 64 MB.
+ * [kiara] 64 MB in either direction works for Safari, as long as 80 MB is not exceeded (due to xpc service limits).
+ * **Consensus**: alignment on raising limit to 64 MB in either direction.
+ * [rob] Do we want to set an environment variable or something to expose limits to native applications?
+ * [tomislav] They can always test the limits manually, so there's no reason to hide this variable.
+
+[Issue 855](https://github.com/w3c/webextensions/issues/855): Proposal: Clarify the scale parameter for tabs.captureVisibleTab
+
+ * [devlin] We added “rect” for a visible region, and noticed that “scale” does something different. Our implementation right now () uses “scale” to scale from device independent pixels to pixels, opposed to actually upscale the captured region.
+ * [rob] Tomislav, I think you touched this last, do you know anything about it?
+ * [tomislav] We use it as a scale parameter for dpi calculations.
+ * [devlin] If you have device pixels and css pixels 1:1, and pass a scale of 2, what is the captured region in Firefox?
+ * [tomislav] Should behave as if you manually changed the scale to 200%.
+ * [devlin] In that case, would it change the captured region too?
+ * [rob] That's strange. That would also imply reflow and rerender of the content, whereas this API is supposed to just capture what is displayed.
+ * Action item: Tomislav to to investigate how the current implementation works and follow up on the bug.
+
+[Issue 856](https://github.com/w3c/webextensions/issues/856): Inconsistency: browser.downloads.download API can ignore file name extension if MIME is known type
+
+ * [rob] It seems the request is to be able to set a specific file name. Firefox's file name handling is more permissive than Chrome's. I know Chrome will rename the filename in more cases.
+ * [devlin] I'm surprised that we strip the custom file extension. I don't know if there are extensions reliant on this behavior. What if the MIME type and file extension don't match?
+ * [rob] I wonder if this could be overridden using the onDeterminingFilename event in Chrome. Firefox doesn't support this, but Chrome does. If you're concerned about existing extensions, we could introduce a parameter to explicitly change behavior.
+ * [devlin] Think we should see what we can do to gather more information about all the various scenarios, what all the browsers do, and follow up on a solution that works as broadly as possible.
+ * [rob] Could someone from Chrome look into whether the behavior is expected and/or find a crbug?
+
+[Issue 762](https://github.com/w3c/webextensions/issues/762): DNR: Add excludedTopFrameDomains (and topFrameDomains) ([@lenacohen](https://github.com/lenacohen))
+
+ * [lena] Feature request where all browsers are supportive; wondering about the implementation status. We have another use case: PrivacyBadger is trying to add site-specific allow rules. Planning to work around this by handling site-specific rules via tab-scoped rules. Obviously a potential race condition with this approach. Wanted to see if we can address this issue and curious if other blocking extensions have identified other workarounds.
+ * [devlin] On Chrome side we're supportive; an external contributor Dave Vandyke started the work and updated the patch set this morning. Might be available after next week's branch.
+ * [rob] This was a Google Docs proposal, I don't think that it ever made it into a WECG proposal
+ * [simeon] Will it land in Chrome first and then in the other browsers?
+ * [devlin] Hoping to land this soon, so I guess that depends on how quickly other browsers get to it ;)
+ * [rob] I'll create a Bugzilla issue on Firefox's side.
+ * [rob] How about Safari?
+ * [kiara] We're supportive of this, but no timeline yet.
+ * [lena] Glad to hear all of this.
+
+[PR 817](https://github.com/w3c/webextensions/pull/817): Proposal: Focus management API
+
+ * [simeon] I'm overdue on update on sidebar focus proposal; how much time do you have on the Chrome side for GSoC. Wondering if I should prioritize this proposal?
+ * [devlin] Harsh is here. On the Chrome side we're making our way through. Not exactly sure on end timeline.
+ * [harsh] GSoC ends on August, 25th.
+ * [simeon] My interpretation of that is sooner is better than later. Thank you.
+
+Extra time, any topics?
+
+ * [lena] PSA: A German appeals court is considering whether to ban adblockers on the grounds that they are creating derivative works of webpages (https://www.golem.de/sonstiges/zustimmung/auswahl.html?from=https%3A%2F%2Fwww.golem.de%2Fnews%2Furheberrecht-von-webseiten-bgh-haelt-unzulaessigkeit-von-adblockern-fuer-moeglich-2507-198676.html )
+ * [devlin] Is this related to the Springer one?
+ * [lena] Yes, the one vs Eyeo.
+
+[Issue 616](https://github.com/w3c/webextensions/issues/616): Content script injection inconsistencies in the sidePanel
+
+ * [david] Say I have permission to open [example.com](http://example.com/) and this is opened in the sidebar, from what I can tell in Firefox we are able to inject script but in other browser we cannot. Is this the intended behavior?
+ * [devlin] I would expect content scripts to run in web frames and iframes within an extension's own context. From the issue it sounds like it was correctly run.
+
+DNR / Content Script compatibility with non-tab contexts (such as sidebars) (Maone)
+
+ * [giorgio] DNR processes requests for AI websites in sidebar, where content is blocked, without a way to show UI/UX to allow requests. Maybe treat sidebar as special tabs? E.g. negative tab ID that is not -1.
+   * (rob: FYI relevant issue: https://bugzilla.mozilla.org/show_bug.cgi?id=1974303 )
+ * [rob] If we were to offer a way to target sidebars, how would you use it?
+ * [giorgio] The UI that I have should not be displayed on all tabs, only in sidebars.
+ * [rob] Issue 616 is about content scripts; do we have an issue for DNR in the sidebar?
+ * [giorgio] I don't think we have one explicitly for that.
+ * [rob] Could you create an issue to cover your use case and the fix you'd like to see?
+ * [giorgio] Okay.
+
+[PR 852](https://github.com/w3c/webextensions/pull/852#discussion_r2225631737): WPT update, also quick assertTrue discussion
+
+ * [tomislav] Merged the PR yesterday
+ * [kiara] Updated the RFC.
+ * [tomislav] also responded to jgraham.
+ * [kiara] I'll rebase the wpt PR and ping them in the channel.
+ * [tomislav] on `test.assertTrue`, I investigated common/popular assertion libraries, none of them have a method with this exact name, and usually the common “truthy” assert is called `ok()` or just  `assert()`.
+ * [tomislav] There is a discrepancy between Chrome, Firefox and Safari: Chrome has strict === true in assertTrue, Firefox/Safari treat it as truthy.
+ * [devlin] I prefer strict equality for true, to prevent unexpected things, so that when assertTrue is used, that it passed when true is passed, and not for 7.
+ * [tomislav] assertEq can be used for that.
+ * [devlin] But that's weird.
+ * [rob] Could introduce something else to address the truthy use case.
+ * [tomislav] Could. Would require more work for us to convert to that new value, but not against it.
+ * [timothy] I see the appeal of no accidental conversions; I'm fine making it strict for assertTrue and assertFalse.
+ * [tomislav] Should we pursue introducing assert.ok for the general case?
+ * [timothy] I'd be fine with it if we find it useful.
+ * [devlin] `assertTrue(!!`
+
+We did not verbally discuss the following items, but participants added comments during other discussions.
+
+[Issue 116 comment](https://github.com/w3c/webextensions/issues/116#issuecomment-3032442917): Proposal: stop adding `host_permissions` from `content_scripts`
+
+ * [carlos] Is there a conceptual difference between content script permissions and host permissions? Relevant to permissions.canAccess().
+ * [tomislav] Either content scripts can run, and access it with a permission, or you don't.
+ * _[carlos, async] Question to Devlin: is this expected behaviour in this comment from Fregante? _
+   * [devlin, async] it's unsurprising, though I wouldn't necessarily say desirable.  Right now, the permissions API only looks at host_permissions (or, historically, `permissions`), so it didn't take into account the permissions in content_scripts (whereas our permission warnings obviously do).  I'd be supportive of changing that, especially with permissions.hasAccess(), if there's a good way to indicate it
+   * [carlos, async] thanks for your response! gotcha, so it would make sense to merge these two concepts, there is some “active” discussion on it here: https://github.com/w3c/webextensions/pull/799#discussion_r2080111012
+
+[Pull 799 comment](https://github.com/w3c/webextensions/pull/799#discussion_r2080111012): Add `browser.permissions.canAccess()` proposal
+
+ * _[carlos, async] Do we want to distinguish scriptAccess and hostAccess?_
+ * [simeon, async] That feels like a useful distinction. It's worth noting that we don't currently have this separation of concepts, but maybe we should.
+
+The next meeting will be on [Thursday, August 14th, 8 AM PDT (3 PM UTC)](https://everytimezone.com/?t=689e7880,384).
diff --git a/_minutes/README.md b/_minutes/README.md
@@ -10,23 +10,24 @@ After the end of each meeting, meeting notes are published here.
 
 ## Upcoming meetings
 
-- 2025-07-31 at 8 AM PDT = https://everytimezone.com/?t=688c0380,384
 - 2025-08-14 at 8 AM PDT = https://everytimezone.com/?t=689e7880,384
+- 2025-08-28 at 8 AM PDT = https://everytimezone.com/?t=68b0ed80,384
 
 ## Past meetings
 
+* 2025-07-31 ([minutes](2025-07-31-wecg.md))
 * 2025-07-17 ([minutes](2025-07-17-wecg.md))
 * 2025-07-03 ([minutes](2025-07-03-wecg.md))
 * 2025-06-05 ([minutes](2025-06-05-wecg.md))
 * 2025-05-22 ([minutes](2025-05-22-wecg.md))
 * 2025-05-08 ([minutes](2025-05-08-wecg.md))
-* 2025-04-24 ([minutes](2025-04-24-wecg.md))
 
 <details>
 <summary><strong>All past meeting notes</strong></summary>
 
 **2025**
 
+* 2025-07-31 ([minutes](2025-07-31-wecg.md))
 * 2025-07-17 ([minutes](2025-07-17-wecg.md))
 * 2025-07-03 ([minutes](2025-07-03-wecg.md))
 * 2025-06-05 ([minutes](2025-06-05-wecg.md))
