Closed
Bug 1442990
Opened 6 years ago
Closed 5 years ago
Consider allowing web extensions to upgrade display content
Categories
(WebExtensions :: General, enhancement, P3)
WebExtensions
General
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: jkt, Assigned: jkt)
References
Details
Attachments
(1 file)
|
59 bytes,
text/x-review-board-request
|
Details |
In Bug 1435733 we added the ability to upgrade display content. https://bugzilla.mozilla.org/show_bug.cgi?id=1435733#c53 > Can we expose this pref to WebExtensions? There is a precedent for allowing WebExtensions to control certain privacy/security features: https://bugzilla.mozilla.org/show_bug.cgi?format=default&id=1397611.
|
Assignee | |
Updated•6 years ago
|
Assignee: nobody → jkt
| Comment hidden (mozreview-request) |
|
|
Assignee | |
Comment 2•6 years ago
|
||
I don't think you had any concerns of exposing this last time we spoke other than we shouldn't prioritise working on it. Let me know if this has changed. This should allow extension authors to contribute to telemetry for users in stable channel if we are blocking on shipping this to more users. I think this is worth having.
Flags: needinfo?(tanvi)
| Comment hidden (mozreview-request) |
|
||
Comment 4•6 years ago
|
||
The request to create a WebExtension API doesn't include much detail. How do you envision extensions using this? Also, jkt, will this preference ever be exposed to users outside of about:config (if it is, we need to be more careful about conflicts between manual user settings and settings that come from extensions)
Flags: needinfo?(bill)
|
||
Comment 5•6 years ago
|
||
I'm not sure this makes sense as an extension API. Do we envision that this pref will exist permanently? If I'm understanding it the pref is a transition state and eventually either the browser will just do this, or it will fail and we won't. Meanwhile extensions can already effectively upgrade requests: that's what the HTTPS Everywhere extension does. They can either use the request API and redirect, or they can modify incoming headers to add an "upgrade-insecure-request" CSP header.
|
|
||
Comment 6•6 years ago
|
||
note that HTTP Everywhere is unlikely to use the pref -- they've got a huge set of redirection rules because a simple http -> https swap causes lots of breakage. Any other extension that does use the pref would experience that breakage.
|
|
Assignee | |
Comment 7•6 years ago
|
||
> note that HTTP Everywhere is unlikely to use the pref Bill is this the case? Do the HTTPS Everywhere complex rules apply to content or just top levels requests? > Do we envision that this pref will exist permanently? I think the code doesn't cause the same problems priming did or the same complexity so I envisage that we will flip this at some point, it's just a case of 'when'.
Flags: needinfo?(tanvi)
|
||
Comment 8•6 years ago
|
||
> Bill is this the case? Do the HTTPS Everywhere complex rules apply to content or just top levels requests?
Jonathan, HTTPS Everywhere rulesets apply to all requests, not just first parties. Additionally, we do send the "upgrade-insecure-request" CSP request header when the "Block all unencrypted connections" option is turned on in the add-on. I see this useful for HTTPS Everywhere where we have insufficient coverage, and passive mixed content would have been blocked anyway. In this case, HTTPS Everywhere opportunistically upgrading passive resources would be a nicety for users.Flags: needinfo?(bill)
|
|
||
Comment 9•6 years ago
|
||
That being said, if this is going to be turned on by default anyway at some point, I'd understand if this pref wasn't exposed to WebExtensions.
|
||
Comment 10•6 years ago
|
||
Dan makes a good point; it doesn't make sense to expose this pref when we don't know the future of it. Right now, it is a proposal for Mixed Content Level 2, and we are experimenting with it. But we don't know for sure where its future lies, or if this the proposal that will eventually get spec'ed. So in that case, making it a web extension, potentially temporarily, doesn't make sense. I would leave this bug open and on the back burner until we figure out what we are doing with Mixed Content Level 2.
|
|
||
Comment 11•6 years ago
|
||
Comment on attachment 8955905 [details] Bug 1442990 - Expose a websites.upgradeMixedDisplayContent pref that Web Extensions can toggle. Clearing the review flag until we have an agreed-upon design here
Attachment #8955905 -
Flags: review?(aswan)
|
||
Updated•6 years ago
|
Keywords: dev-doc-needed
|
||
Updated•6 years ago
|
Product: Toolkit → WebExtensions
|
||
Comment 12•5 years ago
|
||
Hey Johnatan and Tanvi, can we get an update on the status of this feature 2 years later?
Is this something we still want for extensions, or can we close this?
In any case, I don't think this needs docs for now, can always ask later.
|
|
Assignee | |
Comment 13•5 years ago
|
||
The latest update (as of a few weeks ago) is that MCB 2 is happening and this should be in it. It's unclear of the timeline and rollout though.
Ironically we would of benefited from this two years ago by having the telemetry. Maybe we should close this given that if we want a rollout addon it could use privileged code to do this.
Flags: needinfo?(jkt)
|
|
||
Comment 14•5 years ago
|
||
Thanks, closing as per above discussion.
Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(tanvi)
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•