Allow WebExtensions to construct a Cu.Sandbox

NEW
Unassigned
(Needinfo from 2 people)

Status

()

Toolkit
WebExtensions: General
2 months ago
2 days ago

People

(Reporter: robwu, Unassigned, NeedInfo)

Tracking

(Blocks: 1 bug)

52 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 months ago
User script managers need to run untrusted code in an isolated context, which
1) protects the script from tampering by the page and
2) protects other scripts from malicious scripts.

I looked at Tampermonkey for Chrome (also a user script manager), and it runs all user scripts in the context of the page, while exposing semi-privileged methods such as GM_xmlhttpRequest to the script. Creating such a sandbox takes lots of efforts (not just development time, but also runtime) and is not guaranteed to be secure.

Since we have Cu.Sandbox in Firefox [1], we should expose this to WebExtensions to allow them to run untrusted scripts.

[1] https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Language_Bindings/Components.utils.Sandbox

Comment 1

a month ago
adding details for wont fix
Flags: needinfo?(kmaglione+bmo)

Comment 2

a month ago
At some point in the future there may be JS Realms, which are quite similar to sandboxes. So maybe a shim around sandboxes that models things after realm APIs could be used? Although one thing is missing from realms: control over xrays.

see https://github.com/tc39/proposal-realms and bug 962053

Comment 3

29 days ago
today greasemonkey uses two modes of sandbox operation

a) |@grant none| mode[0]. This is a sandbox with the same principal as the page content and with xrays off.
b) privileged API mode[1]. This is a sandbox with an extended principal that only contains the content principal and with xrays 
on.

And to actually use the sandbox it obviously needs a way to load scripts into it[2]. That's all fairly similar to what webextensions are doing but there also are some differences that make implementing userscripts on top of webextensions less secure than they are in GM. 


[0] https://github.com/greasemonkey/greasemonkey/blob/3.10/modules/sandbox.js#L32-L39
[1] https://github.com/greasemonkey/greasemonkey/blob/3.10/modules/sandbox.js#L50-L58
[2] https://github.com/greasemonkey/greasemonkey/blob/3.10/modules/sandbox.js#L190

Updated

2 days ago
Flags: needinfo?(sescalante)
You need to log in before you can comment on or make changes to this bug.