Closed Bug 1577446 Opened 5 years ago Closed 5 years ago

Display better image info in the Manifest

Categories

(DevTools :: Application Panel, enhancement, P1)

Product:
DevTools
Component:
Application Panel
Type:
enhancement

Tracking

(firefox71 fixed)

Status:
RESOLVED FIXED
Milestone:
Firefox 71
Tracking Flags:
Tracking Status
firefox71 --- fixed

People

(Reporter: ladybenko, Assigned: ladybenko)

References

(Blocks 1 open bug)

Details

(Whiteboard: [manifest-reserve])

Attachments

(2 files)

Bug 1577446 - Part 1: Show images and metadata for icons in the manifest
47 bytes, text/x-phabricator-request
Details | Review
Bug 1577446 - Part 2: Add tests for showing icons in the manifest
47 bytes, text/x-phabricator-request
Details | Review

We should display the actual image in the manifest (not just the URL), as well as data relevant that is included in the canonical manifest we get from platform (purpose, type)

Priority: -- → P3
Whiteboard: [triage]
Assignee: nobody → balbeza
Status: NEW → ASSIGNED
Priority: P3 → P1
Whiteboard: [manifest-reserve]

I think it could be bad to use any kind of URL. (I'm not sure if _processRawManifestIcons() is the right function where this needs to be fixed, but it should be fixed everywhere we take URLs from content). Weird URLs like the one in https://bugzilla.mozilla.org/show_bug.cgi?id=1372112#c24 can be really bad.

Can you come up with an allow-list or URL schemes?
E.g., If manifest images have to be same-origin, that would be easy to create on the fly.
Otherwise I would check the URL scheme for "https" and "http".
In both cases you can use the URL parser, as you're probably well aware :)

Feel free to flag me for feedback, if you're uncertain. But no need for another review.

P.S: The security team does mostly design reviews, to consider threats and mitigations from a big picture. Code review usually does not involve security folks. E.g., for the whole manifest/application panel you could email <secreview@mozilla.com>

After a chat with :freddyb, I added the following CSP policy:

default-src chrome: resource:; img-src http: https: data: chrome:;

Pushed by balbeza@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2d88864f61a3
Part 1: Show images and metadata for icons in the manifest r=Ola,fluent-reviewers,flod
https://hg.mozilla.org/integration/autoland/rev/88618365cf4b
Part 2: Add tests for showing icons in the manifest r=Ola

https://hg.mozilla.org/mozilla-central/rev/2d88864f61a3
https://hg.mozilla.org/mozilla-central/rev/88618365cf4b

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox71: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 71
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: