Merge branch 'google-review' into 'main_publish'

**[REQ-EXT-SBD-1]**: The product shall execute extensions with minimal privileges by default.

Example: The extension execution process runs with the least amount of operating system privileges and least amount of capabilities necessary for its purpose.

Example: The extension execution process runs with no greater operating system privileges or capabilities than are required for the extension execution context.

<mark>Editor's note: Could home in MAS? or IM?</mark>

<mark>Editor's note: This covers the default configuration - the exploitation mitigation is covered in section 5.12.</mark>

<mark>Editor's note: Content scripts can be run in different ways, eg Chrome's isolated worlds vs Firefox's xray-vision. Open question if text change needed due to different ways of handling this where "isolated" maybe isn't the all encompassing term.</mark>

## 5.4 Secure Updates

Proposed ESR code: SU

**[REQ-EXT-SU-1]**: The product shall support automatic updates of extensions, and before installing an update shall cryptographically verify the update.

Applicability: Extensions installed via the product's extension distribution channel. Extensions installed by enterprise policy, by the developer as unpacked extensions, or sideloaded directly by the user are out of scope of this requirement.

**[REQ-STORE-SU-1]** The product shall maintain the validity of data stored to disk across updates.

**[REQ-STORE-SU-2]** The product shall update the Public Suffix List regularly.

**[REQ-EXT-AAC-1]**: The product shall enforce a granular permission model for the extension.

Example: Permissions divided such that an extension can request and access the minimum required capabilities for it purpose.

Example: Permissions are decomposed into capability groupings rather than a single all-or-nothing grant.

**[REQ-EXT-AAC-2]**: The product shall grant an extension only the permissions declared in its manifest and granted in accordance with the product's permission model.

**[REQ-EXT-AAC-2]**: The product shall grant an extension only the permissions declared in its manifest and approved by the user.

Note: Some permissions are considered low-impact and auto-granted without an explicit user-visible prompt. The user-prompt requirement is covered separately by REQ-EXT-AAC-3.

**[REQ-EXT-AAC-3]**: The product shall prompt the user with the manifest-declared permissions prior to installation, listing the capabilities and implications of each permission, and allow the user to approve or decline the installation.

**[REQ-EXT-AAC-4]**: The product shall allow the user to review and revoke extension access to specific origins after installation.

Applicability: Extensions installed via the product's extension distribution channel. Extensions installed by enterprise policy or by the developer as unpacked extensions are out of scope of this requirement.

**[REQ-EXT-AAC-5]**: The product shall require additional consent for permissions granting developer tools access or network interception, beyond what's required for standard permissions.

**[REQ-EXT-AAC-4]**: The product shall allow the user to review and revoke extension access to specific origins after installation.

**[REQ-EXT-AAC-6]**: The product shall ensure isolation between the execution and data contexts of different extensions.

**[REQ-EXT-AAC-5]**: The product shall ensure isolation between the execution and data contexts of different extensions.

**[REQ-STORE-ACC-1]** The product shall store data and enforce access according to the Same Origin Policy.

**[REQ-EXT-CON-1]**: The product shall prevent secrets stored by extensions from being read by other extensions or by web content.

NOTE: This requirement addresses the platform-enforced isolation boundary between extensions, and between extensions and web content. It does not address application-level leaks within an extension's own code.

**[REQ-STORE-CON-1]** The product shall not send third-party cookies by default. They may be supported consistent with the `Partitioned` attribute.

**[REQ-EXT-IM-2]**: The product shall permit extensions to communicate with native applications only when declared in the extension manifest and the native application is configured according to the product requirements for doing so.

**[REQ-EXT-IM-3]**: The product shall permit extensions to communicate with system webservers when the localhost origin is declared in the extension manifest.

**[REQ-EXT-IM-3]**: The product shall not permit an extension to initiate connections to services on the loopback interface (e.g., `localhost` or `127.0.0.1`) unless localhost access is declared in the extension manifest.

<mark>Editor's note [OPEN]: Confirm that major browsers currently enforce this.</mark>

**[REQ-ISO-IM-1]**: The product's technical documentation shall describe all public network protocols implemented by the product, or include references to such protocols. These protocols shall be described in publicly available specifications, or be described with sufficient technical detail to permit an independent implementation.

This clause addresses the requirements in the CRA [\[i.1\]](#_ref_i.1) Annex 1 Part 1 (2) (j).

**[REQ-EXT-MAS-1]**: The product's extension APIs shall be documented, and specify for each API the purpose, inputs and outputs, permissions required, its security-related behavior, and the platforms the API is available on.

**[REQ-EXT-MAS-1]**: The product's extension APIs shall be documented, and the documentation shall specify for each API the purpose, inputs and outputs, permissions required, its security-related behaviour, and the platforms the API is available on.

**[REQ-EXT-MAS-2]**: The product shall support enterprise policy controls allowing administrators to disable the extension feature entirely, or specify an allow-list of extensions.

**[REQ-EXT-EMM-1]**: The product shall enforce a Content Security Policy for extension pages and scripts injected into web content.

**[REQ-EXT-EMM-2]**: The product shall validate an extension's manifest before installation and update, reject malformed manifests, and ignore unexpected manifest content.

**[REQ-EXT-EMM-2]**: The product shall validate an extension's manifest before installation and update, reject manifests that are malformed or contain disallowed content, and ignore unrecognised optional fields.

**[REQ-ISO-EMM-1]**: The product shall separate certain product components from each other to reduce the scope of exploits, using process isolation or similar industry standard mitigations.

**[REQ-TLS-LOG-1]**: The web browser shall present a user interface giving visibility into the security properties of the connection, including the origin.

**[REQ-EXT-LOG-1]**: The product shall provide the user the ability to identify running extensions, and to observe their activity.

**[REQ-EXT-LOG-1]**: The product shall provide the user the ability to identify which user-installed extensions are currently running, and the permissions in effect for each.

**[REQ-STORE-LOG-1]** The product shall provide an interface for viewing information about stored data at a granularity of site or narrower (e.g., origin).