Closed Bug 1380729 Opened 7 years ago Closed 4 years ago

Document all the sensitive requests that webRequest API doesn't grant access to

Categories

(Developer Documentation Graveyard :: Add-ons, defect, P5)

Product:
Developer Documentation Graveyard
Component:
Add-ons
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: tumpio, Unassigned)

References

Details

(Whiteboard: triaged) 

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0
Build ID: 20170630112252



Actual results:

The webRequest API documentation uses vague wording for requests that the API doesn't grant access to.  The current wording: "some security sensitive requests" followed by "such as update checks and OCSP checks.", is not detailed enough to describe all the requests that are not granted access for the user of the API.


Expected results:

All the requests (hosts, types) that the API does not grant access to should be documented in the WebRequest API.
See Also: → 1279371
I require this information for https://addons.mozilla.org/addon/requestcontrol/ to let user's know which requests it has no control over.
See Also: → 1380739
I've tried to conclude this information from various sources. Here is what I have currently.

webRequest API is inadequate to control the following HTTP requests:

Any requests made to the privileged hosts: (from bug 1334918)
  addons.mozilla.org
  discovery.addons.mozilla.org
  testpilot.firefox.com

Any requests originating from restricted pages (outside of extension sandbox?):
  about:* pages: (from bug 1270412)
  (update checks ?)

Any requests having following types:
  OCSP- (from bug 1279371)

Is this information correct? Am I missing something?
Any system principal requests, which would include things like safe browsing, browser update checks, etc.  To put it an easy (though maybe less accurate) way, any request made by Firefox for itself are restricted.
Keywords: dev-doc-needed
Priority: -- → P5
Whiteboard: triaged
Understood. One small detail that I'm not sure about.

Are these system principal requests completely out of the scope of webRequest API, meaning that they are not even triggering any webRequest events?

Or is the behaviour for them the same as it is for the privileged hosts (bug 1334918) : and event is triggered but any webrequest blocking action is ignored.

Maybe this information could be added to the documentation as well.
MDN Web Docs' bug reporting has now moved to GitHub. From now on, please file content bugs at https://github.com/mdn/sprints/issues/ and platform bugs at https://github.com/mdn/kuma/issues/.
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.