Open Bug 1572226 Opened 1 year ago Updated 1 year ago

Implement custom policies for experimental protocol API

Categories

(WebExtensions :: Experiments, enhancement, P3)

enhancement

Tracking

(Not tracked)

People

(Reporter: irakli, Unassigned)

References

(Blocks 1 open bug, )

Details

In the current phase of experiment it seems best to keep protocols isolated from http / https & possibly each other. Which as per conversation with :bz requires implementing custom policies:

1:13 PM Irakli Gozalishvili bz: btw that combination of flags also allows loading embedding http content is it possible to prevent that ?
1:13 PM B<•bz> You want your protocol to not be able to load http:?
1:15 PM G Irakli Gozalishvili bz: I don’t want to disallow links to http but I do not want to allow embedding images or other things that would touch network
1:15 PM or at least have some way to control that
1:15 PM B<•bz> Use CSP?
1:16 PM G Irakli Gozalishvili bz: You mean through headers ?
1:16 PM B<•bz> or
1:16 PM or some other mechanism, if we have something else...
1:17 PM G Irakli Gozalishvili bz: It needs to be default, not opt-in, and headers isn’t viable as far as I can tell as channel from custom protocol isn’t nsIHTTPChannel
1:18 PM G Irakli Gozalishvili I think if scheme isn’t http(s) channel is never queried to nsIHttpChannel
1:18 PM <•bz> might need backend work...
1:18 PM You could also implement a content policy, of course
1:18 PM to get the same effect
1:19 PM G Irakli Gozalishvili bz: can you provide more context or pointers, I’m not sure how would I do that
1:19 PM referring to implementing content policy
1:19 PM B<•bz> https://searchfox.org/mozilla-central/source/dom/base/nsIContentPolicy.idl
1:20 PM https://developer.mozilla.org/en-US/docs/Archive/Mozilla/nsIContentPolicy may have some examples of how to hook it up
1:20 PM Then you get notified when loads happen
1:20 PM and can decide whether to allow or not
1:20 PM B<•bz> based on what's being loaded and by whom and so forth

Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.