Open
Bug 1401663
Opened 7 years ago
Updated 2 years ago
Use the remoted unpacked security checks in non-remoted moz-extension loads
Categories
(WebExtensions :: Request Handling, enhancement, P3)
Tracking
(firefox57 affected)
NEW
Tracking | Status | |
---|---|---|
firefox57 | --- | affected |
People
(Reporter: haik, Unassigned)
Details
Make the checks added in bug 1334550 (where we make sure an unpacked moz-extension load returns a file that is within the extension directory) also apply to non-remoted moz-extension code paths in the parent. For non-remoted loads, these checks add an extra layer of security. I previously intended to add these checks in bug 1376496, but at the time I couldn't find a way to do that without having to perform the checks twice for each unpacked moz-extension load. Now, other bug fixes in ExtensionProtocolHandler make it possible to do this without double checking: with the fix for bug 1380156, ExtensionProtocolHandler::NewStream() doesn't call NS_NewChannel() with a moz-extension URI anymore.
Reporter | ||
Updated•7 years ago
|
Hardware: Unspecified → All
Updated•7 years ago
|
Priority: -- → P3
Updated•6 years ago
|
Product: Toolkit → WebExtensions
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•