Open Bug 1485012 Opened 2 years ago Updated 8 months ago

Reduce Activity Stream ability to open about pages

Tracking

()

Status:

NEW

People

(Reporter: jkt, Unassigned)

References

Details

Jonathan Kingston [:jkt] (not really reading NI, email if needed)

Reporter

Description

•

2 years ago

The code that uses: "case ra.OPEN_ABOUT_PAGE:" is a little loose in that it permits opening any about page.

From :gijs https://phabricator.services.mozilla.com/D3873
> This seems to only ever be used with about:addons from current consumers. I don't know why the message isn't specific to that. Can you file a follow-up for AS to do that and/or restrict this to a list of allowed pages on the receiving side of this message passing channel? As it is, this is "let's just break about: page separation of privileges wholesale" and it's not OK.

We likely can make this an allow list and reduce the principal used here to a codebase one also.

Kate Hudson :k88hudson

Updated

•

2 years ago

Priority: P2 → P1

Nobody; OK to take it and work on it

Assignee

Updated

•

1 year ago

Component: Activity Streams: Newtab → New Tab Page

Gavin Suntop [:gvn] (they/he)

Updated

•

8 months ago

Priority: P1 → P3

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Reduce Activity Stream ability to open about pages

Categories

(Firefox :: New Tab Page, enhancement, P3)

Tracking

()

People

(Reporter: jkt, Unassigned)

References

Details

Crash Data

Security

(public)

User Story

Description

Updated

Updated

Updated