Update eval() assertions to account for userChrome.css
Categories
(Core :: DOM: Security, enhancement, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox70 | --- | fixed |
People
(Reporter: tjr, Assigned: tjr)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-active])
Attachments
(1 file)
Over at https://github.com/nuchi/firefox-quantum-userchromejs someone has demonstrated a way to (ab)use userchrome.css to get javascript to run. It's conceptually the same thing as userChrome.js
I think this is the source of our Nightly telemetry showing eval() usage, so I'm going to land this and hope we don't get more telemetry reports.
Assignee | ||
Comment 1•5 years ago
|
||
Updated•5 years ago
|
Pushed by tritter@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f562fda29d7c Do not enforce eval() assertions if userchrome.css is enabled r=ckerschb
Comment 3•5 years ago
|
||
I'm still a bit confused. Thunderbird has an add-on userChromeJS (https://addons.thunderbird.net/en-GB/thunderbird/addon/userchromejs-2/) which is the successor of one a similar one that the author no longer maintains. So is there a "userChrome" add-on for FF? I though something like that would have been discontinued at FF 57.
Assignee | ||
Comment 4•5 years ago
|
||
(In reply to Jorg K (GMT+2) from comment #3)
I'm still a bit confused. Thunderbird has an add-on userChromeJS (https://addons.thunderbird.net/en-GB/thunderbird/addon/userchromejs-2/) which is the successor of one a similar one that the author no longer maintains. So is there a "userChrome" add-on for FF? I though something like that would have been discontinued at FF 57.
AFAICT: userChrome is a catch-all for user-made modifications to the core app experience.
userchrome.css is a still-mostly-supported feature to apply CSS rules to the browser itself.
userchrome[.]js is a hack that allows you to (ab)use enterprise configuration capabilities to run javascript in a privileged context in the browser and affect the browser in ways we don't support.
I believe userChromeJS evolved from a normal pre-57 style add-on into the current hack it is today to achieve roughly the same goals.
There is no 'userChromeJS' add-on in the sense of an Extension, but you can place files in certain places and then set prefs to abuse functionality to achieve some of the effects of a pre-57 add-on.
Comment 5•5 years ago
|
||
bugherder |
Description
•