Open
Bug 1485012
Opened 6 years ago
Updated 9 months ago
Reduce Activity Stream ability to open about pages
Categories
(Firefox :: New Tab Page, enhancement, P3)
Firefox
New Tab Page
Tracking
()
NEW
People
(Reporter: jkt, Unassigned)
References
Details
Attachments
(1 obsolete file)
The code that uses: "case ra.OPEN_ABOUT_PAGE:" is a little loose in that it permits opening any about page.
From :gijs https://phabricator.services.mozilla.com/D3873
> This seems to only ever be used with about:addons from current consumers. I don't know why the message isn't specific to that. Can you file a follow-up for AS to do that and/or restrict this to a list of allowed pages on the receiving side of this message passing channel? As it is, this is "let's just break about: page separation of privileges wholesale" and it's not OK.
We likely can make this an allow list and reduce the principal used here to a codebase one also.
Updated•6 years ago
|
Priority: P2 → P1
Assignee | ||
Updated•5 years ago
|
Component: Activity Streams: Newtab → New Tab Page
Updated•5 years ago
|
Priority: P1 → P3
Updated•2 years ago
|
Severity: normal → S3
Updated•9 months ago
|
Attachment #9387684 -
Attachment is obsolete: true
You need to log in
before you can comment on or make changes to this bug.
Description
•