Closed Bug 1536826 Opened 5 years ago Closed 1 year ago

ServiceWorkers should be disabled in the webextensions process (under child intercept)

Categories

(Core :: DOM: Service Workers, enhancement, P2)

Product:
Core
Component:
DOM: Service Workers
Type:
enhancement

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: asuth, Unassigned)

Details

Bug 1530168 (and bug 1535699 where we're tracking the immediate issue) has shed some light on a concerning scenario where it's likely that ServiceWorker controlled pages can be opened in the webextensions content process, defeating the general sandboxing goal of keeping unprivileged content out of the privileged webextensions process. (I think that's the goal?)

The simplest solution here is likely to act like ServiceWorkers are disabled by preference in the webextensions process. I think this should actually still do what everyone actually wants, because by forcing a parent channel to be opened, the process swap logic should trigger for http/https pages, causing a child to be opened in an (appropriate) content process, where interception can actually trigger.

In terms of this bug, I think what we'd want is:

  • Some type of test that attempts to replicate the situation we're seeing. This means:
    • Have tests that create both a ServiceWorker registration with a scope that has a fetch handler, plus a scope that does not have a fetch handler.
    • Have a webextension involved that initiates a channel opening in the webextension process that matches the scope under test.
    • Have the test verify that in the end, the resulting tab is hosted in a content process, and not the webextension process.
    • I think without any changes to the code, the test should fail for the fetch-handling scope, and assert and crash with the no-fetch scope.
  • Have a fix that disables ServiceWorker interception in the webextensions remotetype content process. If possible this should cause the ServiceWorkerManager to not connect to the ServiceWorkerManagerService.
  • Maybe also consider adding an assertion that we never control a window inside a webextensions content process.

Eden, is this something you could take a look at? This might be something we'd pursue for uplift to 67, so I'd generally rank it a high priority.

Flags: needinfo?(echuang)

Sure I can take a look on it.

I am not familiar with build a test running web extension.
I guess I can find some examples under browser/components/extensions/test and realize how to do it.

Flags: needinfo?(echuang)
Assignee: nobody → echuang
Assignee: echuang → nobody
Severity: normal → S3

Child intercept is no longer a thing, so we can close this.

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.