The default bug view has changed. See this FAQ.

Tighten sandboxing for extension content process

NEW
Unassigned

Status

()

Core
Security: Process Sandboxing
2 months ago
a day ago

People

(Reporter: kmag, Unassigned)

Tracking

(Depends on: 1 bug, Blocks: 1 bug)

Trunk
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox54 affected)

Details

(Whiteboard: sbwc4)

(Reporter)

Description

2 months ago
We currently use the default sandboxing rules for the extension content process. We should be able to tighten it considerably, given the limitations of the environment. In particular:

- There should be no need for filesystem write access, or read access outside of omni.ja. We will need to proxy moz-extension: protocol requests to the parent process in order to accomplish this, however.

- Ideally, we shouldn't allow web content to be loaded into the extension process. I'm not sure how strictly we can enforce this at the process sandbox level, though, since some existing extension code depends on loading remote resources like images and fonts which aren't declared anywhere in their permissions.

- As a caveat, Google Chrome allows extensions arbitrary filesystem read access via requests to file: URLs if a user has given them permission. We should discuss what kind of support, if any, we want to add for this, but it should probably be deferred until we support multiple extension content processes.

Updated

2 months ago
Whiteboard: sbwc4
You need to log in before you can comment on or make changes to this bug.