Dec 18th 2017 Update
NoScript 10.1.6 reimplements the “Export” button functionality in a more convoluted way, which doesn’t require the “downloads” permissions anymore though 🙂 Enjoy!
It seems some users are really upset with NoScript 10.1.5.7 asking for an additional “downloads” permission.
This surprised me a bit. Not just because NoScript 5, which everyone loves to praise in order to bash 10, was all-mighty: like any other “legacy” add-on, it could even format your hard-disk, not before having sent all its content to a remote server in Siberia. But especially because they already granted NoScript 10 itself (like all the other content-blocking WebExtensions, including all the popular adblockers) plenty of much scarier permissions, such as the ability of monitoring and filtering all your network traffic, which I find the scariest of all but, quite obviously, is mandatory for the task you use NoScript for.
Unfortunately the WebExtensions permissions asking prompts don’t let authors to explain in advance what a certain permission is used for (yet I did provide this info in the support forum since first release), but for those who couldn’t figure it out from the changelog: the “downloads” permission just gives access to the downloads WebExtensions API, which NoScript uses to implement the “Export” feature and let you save a configuration file somewhere on your disk. Because, unlike “legacy” add-ons, WebExtensions cannot interact with your filesystem directly and so must make you “download” the file.
Notice also that instead, just like “legacy” add-ons, and unlike Chrome extensions AFAIK, Firefox WebExtensions are still reviewed at AMO by a trusted staff of experienced add-ons developers, whose job is much easier now because of the simplicity of the new API and, guess what?, because of the explicit permissions: the first thing they do with a new version is looking at the code differences and checking that those permissions are used in a legitimate way. Rob Wu, the reviewer which filtered 10.1.5.7 even suggested alternate ways to implement the Export functionality without the new permission, but we tried those and they just didn’t work.
Anyway, if you can’t trust with this (modest) power NoScript, a component of the Tor Browser (one of the most scrutinized software pieces on the planet by security experts all over the world), I wonder if it makes sense even trying to complete the WebExtension migration of FlashGot, which is much more frivolous but completely centered around this ultra-frightening “downloads” permission…