Open Bug 1485012 Opened 6 years ago Updated 9 months ago

Reduce Activity Stream ability to open about pages

Categories

(Firefox :: New Tab Page, enhancement, P3)

enhancement

Tracking

()

People

(Reporter: jkt, Unassigned)

References

Details

Attachments

(1 obsolete file)

The code that uses: "case ra.OPEN_ABOUT_PAGE:" is a little loose in that it permits opening any about page. From :gijs https://phabricator.services.mozilla.com/D3873 > This seems to only ever be used with about:addons from current consumers. I don't know why the message isn't specific to that. Can you file a follow-up for AS to do that and/or restrict this to a list of allowed pages on the receiving side of this message passing channel? As it is, this is "let's just break about: page separation of privileges wholesale" and it's not OK. We likely can make this an allow list and reduce the principal used here to a codebase one also.
Priority: P2 → P1
Component: Activity Streams: Newtab → New Tab Page
Priority: P1 → P3
Severity: normal → S3
Attachment #9387684 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: