Open Bug 1485012 Opened 2 years ago Updated 8 months ago
Reduce Activity Stream ability to open about pages
The code that uses: "case ra.OPEN_ABOUT_PAGE:" is a little loose in that it permits opening any about page. From :gijs https://phabricator.services.mozilla.com/D3873 > This seems to only ever be used with about:addons from current consumers. I don't know why the message isn't specific to that. Can you file a follow-up for AS to do that and/or restrict this to a list of allowed pages on the receiving side of this message passing channel? As it is, this is "let's just break about: page separation of privileges wholesale" and it's not OK. We likely can make this an allow list and reduce the principal used here to a codebase one also.
Component: Activity Streams: Newtab → New Tab Page
You need to log in before you can comment on or make changes to this bug.