Support new content script registration `optional`

[marcellino-ornelas]

Feature Request

Add a new registration: 'optional' option for content scripts that moves their matches into optional_host_permissions instead of host_permissions, and registers them dynamically via browser.scripting.registerContentScripts() at runtime.

Currently, registration: 'runtime' moves matches to host_permissions, which still triggers Chrome's permission escalation dialog when new hosts are added on extension update (disabling the extension until the user re-accepts). Extensions that want to support new hosts without disabling need to use optional_host_permissions instead.

Proposed API:

export default defineContentScript({
    matches: ['https://my-app.com/*'],
    registration: 'optional',
    // ...
});

Behavior:

• Strip the content script's matches from manifest.json content_scripts
• Add them to optional_host_permissions instead of host_permissions
  • Would be nice if this was deduped if user already had urls in optional_host_permissions. example if I had *.app.com in optional_host_permissions theres no need to put auth.app.com because its covered by the existing one
• Nice to have: Register dynamically via browser.scripting.registerContentScripts() in the background script
• Scripts run only after the user grants the optional host permission

Is your feature request related to a bug?

N/A — though this addresses a common pain point where adding new content_scripts.matches entries causes Chrome to disable the extension on update due to permission escalation, even when the hosts are already covered by optional_host_permissions.

What are the alternatives?

We built a custom WXT module that:

1. Hooks into entrypoints:resolved to identify content scripts targeting optional hosts
2. Generates a virtual module with the optional content script data via prepare:types
3. Strips them from the manifest in build:manifestGenerated
4. Registers them dynamically in the background script using browser.scripting.registerContentScripts()

This works but requires significant custom infrastructure that could be a first-class WXT feature. The registration: 'runtime' codepath already handles most of this — the main difference is the target permission type (optional_host_permissions vs host_permissions).

Additional context

• Chrome treats any new entry in content_scripts.matches as a permission escalation, regardless of whether the host is already in optional_host_permissions
• optional_host_permissions changes alone do not trigger the escalation dialog
• browser.scripting.registerContentScripts() registrations persist across service worker restarts and extension updates, so they only need to be set up once
• This is a common pattern for extensions that progressively support new domains without disrupting existing users

[marcellino-ornelas]

sort of related to the second half of wxt registering the content scripts for me

#2040

[aklinker1]

Nice, I really like this idea. Should work in MV2/firefox my converting optional_host_permissions to optional_permissions. I don't remember if WXT already does this...

This is apart of the build system, so it makes sense to add to the core wxt package.

[andoan16]

Auto-closing: linked PR #2257 was closed (CI checks failed). Sorry for the inconvenience.

[aklinker1]

@andoan16 please don't test your AI agent on WXT. It's clearly not ready if it closes PRs after failing a one-shot. Your annoying maintainers, real people, with additional notifications and confusion. This is the second time this has happened.

[marcellino-ornelas]

This is apart of the build system, so it makes sense to add to the core wxt package.

Awesome 🙌🏽 That would be great. right now were doing some hacky stuff to support this with a module lol