disallow remotely hosted code in extensions
Categories
(WebExtensions :: General, task, P2)
Tracking
(firefox86 fixed)
Tracking | Status | |
---|---|---|
firefox86 | --- | fixed |
People
(Reporter: mixedpuppy, Assigned: mixedpuppy)
References
(Blocks 1 open bug)
Details
Attachments
(3 files, 2 obsolete files)
Developers can no longer use CSP directives that enable remotely hosted code (code that is not bundled with the extension). Manifests that include such directives will error at parse time.
script-src, worker-src, object-src, and style-src with non-local values are disallowed.
Assignee | ||
Comment 1•5 years ago
|
||
This will require two sets of csp defaults, one for v2 and one for v3. As well, if bug 1594235 is implemented, we'll need a separate set for that.
Is
script-src, worker-src, object-src, and style-src
an exhaustive list? More specifically, will frame-src still be allowed to specify remote resources?
Assignee | ||
Comment 3•4 years ago
|
||
(In reply to Vincent from comment #2)
Is
script-src, worker-src, object-src, and style-src
an exhaustive list? More specifically, will frame-src still be allowed to specify remote resources?
It is documented here for Chrome:
https://developer.chrome.com/extensions/migrating_to_manifest_v3
Assignee | ||
Comment 4•4 years ago
|
||
WIP Make sure we can differentiate between V2 and V3 format in order to choose proper base CSP.
Assignee | ||
Comment 5•4 years ago
|
||
Assignee | ||
Comment 6•4 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=40b471cc121e4854e28b40444e2b80ada56e1f9d
Updated•4 years ago
|
Assignee | ||
Comment 7•3 years ago
|
||
Updated•3 years ago
|
Updated•3 years ago
|
Assignee | ||
Comment 8•3 years ago
|
||
This patch adds CSP validation for manifest v3 changes when parsing the addon manifest.
Assignee | ||
Comment 9•3 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=a5b8fa092066932003822324810e0012bb9a1090
Assignee | ||
Comment 12•3 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=0abb5f9f3e20d9219795f978006c319fc6707cda
Assignee | ||
Comment 13•3 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=1fb0a55f8a72669f9759a67f5d41f4180a6efb9c
Assignee | ||
Comment 14•3 years ago
|
||
Assignee | ||
Comment 15•3 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=767b07cf07c9f1108ac8cee8bd4925ff89ff5d5c
Comment 16•3 years ago
|
||
Pushed by scaraveo@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/4baef7adb4a4 manifest v3 content security policy support r=robwu,geckoview-reviewers,agi https://hg.mozilla.org/integration/autoland/rev/76491eab6179 manifest v3 content security validation improvements r=robwu,geckoview-reviewers,agi https://hg.mozilla.org/integration/autoland/rev/94ae53f11f08 remove extensions.content_script_csp preferences in favor of extensions.manifestV3.enabled r=robwu
Comment 17•3 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/4baef7adb4a4
https://hg.mozilla.org/mozilla-central/rev/76491eab6179
https://hg.mozilla.org/mozilla-central/rev/94ae53f11f08
Comment 18•3 years ago
|
||
Pushed by geoff@darktrojan.net: https://hg.mozilla.org/comm-central/rev/e9afa0fd5d0c Port bug 1594234 - Remove extension CSP prefs from all-thunderbird.js. rs=bustage-fix
Description
•