Implement chrome.management.install
Categories
(WebExtensions :: General, enhancement, P5)
Tracking
(Not tracked)
webextensions | ? |
People
(Reporter: andy+bugzilla, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: sec-want, Whiteboard: [management] triaged)
Attachments
(3 files)
Reporter | ||
Comment 1•8 years ago
|
||
Updated•8 years ago
|
Updated•8 years ago
|
Comment 2•8 years ago
|
||
Comment 3•8 years ago
|
||
Comment 4•8 years ago
|
||
Reporter | ||
Comment 7•7 years ago
|
||
Updated•6 years ago
|
Comment 8•6 years ago
|
||
Comment 9•6 years ago
|
||
This feature would be really useful allowing implementation of alternative addon managers supporting features don't exist in native FF addon manager.
Is there any plans to implement this feature? What would be likelihood of merging if somebody would submit a patch for this?
Comment 10•6 years ago
|
||
I created a patch for this. It isn't complete yet, but currently it allows management.install()
to install a WebExtension provided that requesting extension has managementExtensions
permission.
I plan to implement preventing installation of addons with managementExtensions
permission via this API method to avoid a loophole where two extensions could keep installing each other upon user uninstalling them.
I modified theme-switcher example for testing this patch manually:
https://github.com/ozars/webextensions-examples/tree/b6d0bd0cee6be54100aa93d9f434b28d60d6a426/addon-installer
I would appreciate if you could guide me landing this patch. I'm uploading it to phabricator.
Comment 11•6 years ago
|
||
Comment 12•6 years ago
|
||
Depends on D30732
Comment 13•6 years ago
|
||
Depends on D30782
Comment 14•6 years ago
|
||
I think we need to decide whether we allow this at all.
Comment 15•6 years ago
|
||
(In reply to Omer Ozarslan from comment #10)
I created a patch for this. It isn't complete yet, but currently it allows
management.install()
to install a WebExtension provided that requesting extension hasmanagementExtensions
permission.
Omer, thank you for the patch. Unfortunately, in the two years since this bug was marked P5, extensions have become an increasingly frequent target for malicious actors. Adding the ability to install an extension via another extension increases the attack surface and raises serious security concerns for Firefox users. Per the WebExtensions policy for new API (see Section II), I am going to deny this patch as too great of a security risk at this time.
I apologize for not catching this and closing it before your patch was submitted.
Description
•