Open Bug 1572226 Opened 4 years ago Updated 4 months ago

Implement custom policies for experimental protocol API


(WebExtensions :: Experiments, enhancement, P3)



(Not tracked)


(Reporter: irakli, Unassigned)


(Blocks 1 open bug, )


In the current phase of experiment it seems best to keep protocols isolated from http / https & possibly each other. Which as per conversation with :bz requires implementing custom policies:

1:13 PM Irakli Gozalishvili bz: btw that combination of flags also allows loading embedding http content is it possible to prevent that ?
1:13 PM B<•bz> You want your protocol to not be able to load http:?
1:15 PM G Irakli Gozalishvili bz: I don’t want to disallow links to http but I do not want to allow embedding images or other things that would touch network
1:15 PM or at least have some way to control that
1:15 PM B<•bz> Use CSP?
1:16 PM G Irakli Gozalishvili bz: You mean through headers ?
1:16 PM B<•bz> or
1:16 PM or some other mechanism, if we have something else...
1:17 PM G Irakli Gozalishvili bz: It needs to be default, not opt-in, and headers isn’t viable as far as I can tell as channel from custom protocol isn’t nsIHTTPChannel
1:18 PM G Irakli Gozalishvili I think if scheme isn’t http(s) channel is never queried to nsIHttpChannel
1:18 PM <•bz> might need backend work...
1:18 PM You could also implement a content policy, of course
1:18 PM to get the same effect
1:19 PM G Irakli Gozalishvili bz: can you provide more context or pointers, I’m not sure how would I do that
1:19 PM referring to implementing content policy
1:19 PM B<•bz>
1:20 PM may have some examples of how to hook it up
1:20 PM Then you get notified when loads happen
1:20 PM and can decide whether to allow or not
1:20 PM B<•bz> based on what's being loaded and by whom and so forth

Priority: -- → P3
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.