Open Bug 1594234 Opened 3 months ago Updated 1 day ago

disallow remotely hosted code in extensions

Categories

(WebExtensions :: General, task, P2)

task

Tracking

(Not tracked)

People

(Reporter: mixedpuppy, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(2 files)

Developers can no longer use CSP directives that enable remotely hosted code (code that is not bundled with the extension). Manifests that include such directives will error at parse time.

script-src, worker-src, object-src, and style-src with non-local values are disallowed.

This will require two sets of csp defaults, one for v2 and one for v3. As well, if bug 1594235 is implemented, we'll need a separate set for that.

Is

script-src, worker-src, object-src, and style-src

an exhaustive list? More specifically, will frame-src still be allowed to specify remote resources?

(In reply to Vincent from comment #2)

Is

script-src, worker-src, object-src, and style-src

an exhaustive list? More specifically, will frame-src still be allowed to specify remote resources?

It is documented here for Chrome:
https://developer.chrome.com/extensions/migrating_to_manifest_v3

WIP Make sure we can differentiate between V2 and V3 format in order to choose proper base CSP.

You need to log in before you can comment on or make changes to this bug.