Closed Bug 1587939 Opened 2 years ago Closed 2 years ago

Support addon csp in the script security manager

Categories

(WebExtensions :: General, enhancement, P2)

Product:
WebExtensions
Component:
General
Type:
enhancement

Tracking

(firefox72 fixed)

Status:
RESOLVED FIXED
Milestone:
mozilla72
Tracking Flags:
Tracking Status
firefox72 --- fixed

People

(Reporter: mixedpuppy, Assigned: mixedpuppy)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1587939 enforce addon content script CSP in eval
47 bytes, text/x-phabricator-request
Details | Review

Currently addon content scripts that use eval and new Function do not trigger csp violations.

This can be addressed in nsScriptSecurityManager::ContentSecurityPolicyPermitsJSAction by checking for a csp on the expanded principal.

Assignee: nobody → mixedpuppy
Status: NEW → ASSIGNED
Pushed by scaraveo@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/23c113d65b48
enforce addon content script CSP in eval r=ckerschb,robwu

https://hg.mozilla.org/mozilla-central/rev/23c113d65b48

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox72: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla72

Hello,

Will this fix require manual validation? If yes, please provide some steps to reproduce in order to correctly test it and also, please set the "qe-verify+" flag. Otherwise, could the "qe-verify-" flag be added? Thanks!

Flags: needinfo?(mixedpuppy)

There are tests

Flags: needinfo?(mixedpuppy) → qe-verify-
You need to log in before you can comment on or make changes to this bug.