Firefox Extension IDs: The Bad and the Ugly

If you've ever developed a web application that communicates with a browser extension, you've probably encountered the subtle but significant differences between how Chrome and Firefox handle extension identifiers. While both browsers allow developers to specify static extension IDs, their implementation approaches diverge in ways that create real problems for security, privacy, user and developer experience. This post explores an issue I discovered while building Hister . What started as a straightforward CSRF protection implementation turned into a deep dive into Firefox's extension architecture decisions. Both Chrome and Firefox allow extension developers to have a static extension ID in their manifest. This ID serves as a persistent identifier for the extension across different installations and updates. In Chrome (and Chromium-based browsers), extension ID handling works exactly as you'd expect: You specify a public key in your manifest which guarantees a static extension ID The b