Publish minutes of 2026-04-23 meeting

_minutes/2026-04-23-wecg.md

@@ -0,0 +1,166 @@
+# WECG Meetings 2026, Public Notes, Apr 23
+
+ * Chair: Timothy Hatcher
+ * Scribes: Rob Wu
+
+Time: 8 AM PDT = https://everytimezone.com/?t=69eab280,3c0
+Call-in details: [WebExtensions CG, 23rd April 2026](https://www.w3.org/events/meetings/6a0eda89-558c-408d-b83d-5f03b8853c30/20260423T080000/)
+Zoom issues? Ping @zombie (Tomislav Jovanovic) in [chat](https://github.com/w3c/webextensions/blob/main/CONTRIBUTING.md#joining-chat)
+
+
+## Agenda: [discussion in #978](https://github.com/w3c/webextensions/issues/978), [github issues](https://github.com/w3c/webextensions/issues)
+
+The meeting will start at 3 minutes after the hour.
+
+See [issue 531](https://github.com/w3c/webextensions/issues/531) for an explanation of this agenda format.
+
+ * **Announcements** (2 minutes)
+   * 2026 WECG Face to Face (London) concluded ([Issue 951](https://github.com/w3c/webextensions/issues/951))
+ * **Triage** (15 minutes)
+   * [Issue 973](https://github.com/w3c/webextensions/issues/973): Proposal: Add `isSigned` boolean to MessageSender
+   * [Issue 974](https://github.com/w3c/webextensions/issues/974): Have a way to install replacement web extension
+   * [Issue 976](https://github.com/w3c/webextensions/issues/976): Add manifest key to allow `devtools_page` to run when inspecting service worker contexts
+   * [Issue 984](https://github.com/w3c/webextensions/issues/984): Proposal: AutoFill Provider API
+   * [Issue 986](https://github.com/w3c/webextensions/issues/986): `webRequest.ResourceType` and `declarativeNetRequest.ResourceType` for text module imports
+   * [Issue 980](https://github.com/w3c/webextensions/issues/980): Add web hooks for `onDisabled` and `onUninstalled`
+   * [Issue 981](https://github.com/w3c/webextensions/issues/981): Persist `runtime.setUninstallURL()` until update
+   * [Issue 982](https://github.com/w3c/webextensions/issues/982): Inconsistency: CSP compliance on frame navigation initiated by isolated worlds
+   * [Issue 985](https://github.com/w3c/webextensions/issues/985): CSP Overreach? CSP on certain websites blocks QOL user interaction
+ * **Timely issues** (10 minutes)
+ * **Check-in on existing issues** (20 minutes)
+
+
+## Attendees (sign yourself in)
+
+ 1. Rob Wu (Mozilla)
+ 2. Tomislav Jovanovic (Mozilla)
+ 3. Kiara Rose (Apple)
+ 4. Timothy Hatcher (Apple)
+ 5. Brian Weinstein (Apple)
+ 6. Oliver Dunk (Google)
+ 7. Tim Judkins (Google)
+ 8. Brandon Lucier (1Password)
+ 9. Carlos Jeurissen (Jeurissen Apps)
+ 10. Casey Garland (Capital One)
+ 11. Christian Rask (1Password)
+ 12. Maxim Topciu (AdGuard)
+ 13. Hilary Hacksel (1Password)
+ 14. Mukul Purohit (Microsoft)
+ 15. Benjamin Bruneau (1Password)
+
+
+## Meeting notes
+
+2026 WECG Face to Face (London) concluded ([Issue 951](https://github.com/w3c/webextensions/issues/951))
+
+ * [timothy] The face-to-face meeting concluded.
+ * [rob] Meeting notes have been published, with the table of contents listed at https://github.com/w3c/webextensions/pull/979
+ * [tomislav] Thanks for hosting this time Google!
+ * [oliver] And thanks for filing in the feedback forms.
+ * [timothy] We will alternate again between TPAC.
+
+[Issue 973](https://github.com/w3c/webextensions/issues/973): Proposal: Add `isSigned` boolean to MessageSender
+
+ * [brandon] We want a way to know that the extension we're communicating with is the one we're communicating with.
+ * [timothy] Cross-extension messaging?
+ * [brandon] Yes.
+ * [timothy] Could also be on an extension in externally_connectable.
+ * [timothy] Makes sense to me - we have the concept of unsigned extensions in Safari as well.
+ * [oliver] Capability sounds good to me. Struggling to see what a web page could do with this.
+ * [timothy] In one direction; web page cannot be signed.
+ * [rob] For web pages there would not be any value, because an untrusted extension could also use a content script to modify the API that the web page uses. For extensions, it would not be difficult to add the flag, but there is also the question in how much value this would offer. E.g. extensions could also be debugged, or a vulnerable extension could be installed (downgrade) and exploited, the “isSigned” flag on its own does not mean much.
+ * [timothy] Any other use cases than 1Password?
+ * [casey] We would also use it in a few different scenarios.
+ * [timothy] So Oliver to check back. On Safari's side we are supportive.
+ * [rob] Neutral on Firefox's side.
+
+[Issue 974](https://github.com/w3c/webextensions/issues/974): Have a way to install replacement web extension
+
+ * [carlos] A way to transition users from one to another. Developers may end up with multiple versions of the same extension due to acquisition and having multiple versions of the same extension with different manifest versions.
+ * [oliver] I can see use cases where it is useful, but abuse potential would be considerably more. Extensions are required to have a single-purpose, users could be tricked into installing one extension and switched to another.
+ * [carlos] Are you familiar with the deprecation process of Chrome platform apps? They already had `installReplacementWebApp`
+ * [oliver] Yes, but that is an old API and I don't know the history. For this request specifically, I'll check with Devlin, but I don't expect it is something we would pursue.
+ * [timothy] Supportive of doing this in Safari, when restricted to the same developer. Not seeing much utility in webextension to webextension, maybe MV3 to MV4 in the far future.
+ * [timothy] Firefox's position?
+ * [rob] I see abuse potential, but that could be solved by curation. This is more a product question than an API question, I'll ask internally and respond back.
+
+[Issue 976](https://github.com/w3c/webextensions/issues/976): Add manifest key to allow `devtools_page` to run when inspecting service worker contexts
+
+ * [oliver] We discussed this during the F2F, current status is for me to put up a proposal.
+ * [timothy] I don't recall what we do in Safari. Sounds like something that should work already, but not sure if we test it.
+ * [oliver] Should work, but also question such as what `devtools.inspectedWindow.eval` should do, as there is no window in a service worker.
+ * [timothy] Wonder whether we should have a different namespace, or an alias.
+ * [oliver] Also considered that.
+ * [rob] `inspectedTarget` instead of `inspectedWindow` if we want something generic.
+
+[Issue 984](https://github.com/w3c/webextensions/issues/984): Proposal: AutoFill Provider API
+
+ * [oliver] I was initially thinking that this is just integrating with the UI, but the proposal mentioning storage, which gives me a pause.
+ * [brandon] We discussed this internally at 1Password, but as a password manager we would not store there.
+ * [timothy] Credential manager at a system level works even when the extension is not installed, which is still our (Apple's) preferred way.
+ * [brandon] Moving autofill responsibility to the browser would be a no-go for us, since we support it in more scenarios.
+ * [oliver] We are open to exploring APIs for credential managers, but only if password managers are interested in adopting them.
+ * [rob] This looks like a proposal without expected use cases or interest for browsers, let's close it?
+ * [timothy] Sounds good to me.
+ * [carlos] Can close as a duplicate of https://github.com/w3c-cg/autofill-cg/issues/4
+
+[Issue 986](https://github.com/w3c/webextensions/issues/986): `webRequest.ResourceType` and `declarativeNetRequest.ResourceType` for text module imports
+
+ * [rob] Firefox is adding support for text imports. Interest from other browsers to follow. What type should we use? “text”? “other”? More generally, should ResourceType be based on an existing web concept of “destination”?
+ * [oliver] This is a good question, but I don't know how we've thought about this in the past. I'll follow up.
+ * [rob] Safari? I guess you copied the initial definition for ResourceType, how do you decide when to add more?
+ * [timothy] “other” sounds like a good catch-all, seems excessive to add “text” and “bytes” everywhere.
+ * [carlos] Not sure the destination type needs to be exposed in a new way given it is already provided as header. Which many extension APIs can filter on.
+ * [rob] Could expose the destination, possibly as a separate field. But there would be much overlap between destination and ResourceType.
+ * [timothy] If there is much overlap it would make more sense to keep only ResourceType.
+ * [rob] I considered fetch (xmlhttprequest) too, but that is more powerful than text/bytes imports.
+ * [timothy] What about the “json” type?
+ * [rob] We introduced the “json” type when we added json imports. Chrome uses “script”, but those are not scripts, so it felt strange to use that.
+ * [timothy] Fine with using “other” in the meantime, can introduce more granularity later if needed.
+
+[Issue 980](https://github.com/w3c/webextensions/issues/980): Add web hooks for `onDisabled` and `onUninstalled`
+
+ * [carlos] Discussed at the F2F.
+ * [oliver] Nice idea, worth exploring. Still need to be run with the security and privacy folks.
+ * [timothy] Not sure if Safari would support this; we can do the disabled one. The user could disable an extension while in the Settings app without the extension running. Also have privacy concerns.
+ * [benjamin] Best-effort thing would still be valuable.
+ * [timothy] Use case?
+ * [benjamin] If we wanted to clean up some scripts, content scripts.
+ * [timothy] This proposal would not help there, it is a silent ping.
+ * [kiara] There is a separate proposal (runtime.onInvalidated) to cover that use case.
+ * [timothy] I'm supportive of onInvalidated.
+ * [hilary] Are enabled/disabled extensions statistics available across the stores?
+ * [oliver] The Chrome Web Store shows disabled. Caveat: data in dashboard is based on update checks, unreachable users do not appear in the data.
+ * [rob] addons.mozilla.org shows usage data based on enabled extensions. It does not include disabled extensions.
+
+[Issue 981](https://github.com/w3c/webextensions/issues/981): Persist `runtime.setUninstallURL()` until update
+
+ * [oliver] We discussed this at the F2F but did not reach a conclusion. I'll check internally and comment on the issue.
+ * [rob] We currently do not persist, so we will await your comment and continue the discussion from there.
+ * [oliver] Do you want to persist across updates?
+ * [rob] Would not want to persist this across updates. Already mentioned during the F2F that this would force extensions to account for this forever once they set it.
+
+[Issue 982](https://github.com/w3c/webextensions/issues/982): Inconsistency: CSP compliance on frame navigation initiated by isolated worlds
+
+ * [oliver] On the list of topics to follow-up on.
+ * [timothy] CSP enforcement is complicated, I'd defer to the security experts for this.
+ * [carlos] Also when request is served from service worker, no good way for extensions to integrate there.
+
+[Issue 985](https://github.com/w3c/webextensions/issues/985): CSP Overreach? CSP on certain websites blocks QOL user interaction
+
+ * [rob] LLM AI slop. Not sure if worth discussing. Carlos tried to engage and then got a huge wall of text back attributed to a LLM.
+ * [timothy] Supportive of closing.
+
+[PR 975](https://github.com/w3c/webextensions/pull/975): Update runtime.onInvalidated with unload reason and isolated world restriction
+
+ * [carlos] There was some discussion on whether to keep or drop the other reasons. Kept this in case browsers want to expose the information as there are real use cases for extension developers.
+ * [timothy] Why unload if there are three others?
+ * [carlos] Devlin wanted to merge them.
+ * [timothy] I am in favor of that. Not clear if extensions need to distinguish between the other three.
+ * [oliver] We had a lot of discussion about this during the F2F. Distinguishing unload vs uninstall was the resolution from my recollection.
+ * [kiara] Agreed.
+ * [rob] Agreed. We were aligned on reducing to two reasons.
+ * [carlos] Sure. Considering none of the browsers are in favour of exposing more detailed reasons than unload and uninstalled, I will update the PR to reflect this.
+ * [rob] Firefox currently destroys the content script execution environment. At the F2F I suggested to keep the context alive if runtime.onInvalidated was registered. If you have a moment, would be nice to reflect that in the proposal document as well.
+
+The next meeting will be on [Thursday, May 7th, 8 AM PDT (3 PM UTC)](https://everytimezone.com/?t=69fd2780,3c0).

_minutes/README.md

@@ -10,25 +10,26 @@ After the end of each meeting, meeting notes are published here.
 
 ## Upcoming meetings
 
-- 2026-04-23 at 8 AM PDT = https://everytimezone.com/?t=69eab280,384
 - 2026-05-07 at 8 AM PDT = https://everytimezone.com/?t=69fd2780,384
+- 2026-05-21 at 8 AM PDT = https://everytimezone.com/?t=6a0f9c80,384
 
 ## Past meetings
 
+* 2026-04-23 ([minutes](2026-04-23-wecg.md))
 * 2026-04-09 ([minutes](2026-04-09-wecg.md))
 * 2026-04-09 F2F meetup in London ([minutes](2026-04-09-london-f2f.md))
 * 2026-04-08 F2F meetup in London ([minutes](2026-04-08-london-f2f.md))
 * 2026-04-07 F2F meetup in London ([minutes](2026-04-07-london-f2f.md))
 * 2026-03-26 ([minutes](2026-03-26-wecg.md))
 * 2026-03-12 ([minutes](2026-03-12-wecg.md))
 * 2026-02-26 ([minutes](2026-02-26-wecg.md))
-* 2026-02-12 ([minutes](2026-02-12-wecg.md))
 
 <details>
 <summary><strong>All past meeting notes</strong></summary>
 
 **2026**
 
+* 2026-04-23 ([minutes](2026-04-23-wecg.md))
 * 2026-04-09 ([minutes](2026-04-09-wecg.md))
 * 2026-04-09 F2F meetup in London ([minutes](2026-04-09-london-f2f.md))
 * 2026-04-08 F2F meetup in London ([minutes](2026-04-08-london-f2f.md))