Closed Bug 1594234 Opened 4 years ago Closed 3 years ago

disallow remotely hosted code in extensions

Categories

(WebExtensions :: General, task, P2)

task

Tracking

(firefox86 fixed)

RESOLVED FIXED
86 Branch
Tracking Status
firefox86 --- fixed

People

(Reporter: mixedpuppy, Assigned: mixedpuppy)

References

(Blocks 1 open bug)

Details

Attachments

(3 files, 2 obsolete files)

Developers can no longer use CSP directives that enable remotely hosted code (code that is not bundled with the extension). Manifests that include such directives will error at parse time.

script-src, worker-src, object-src, and style-src with non-local values are disallowed.

This will require two sets of csp defaults, one for v2 and one for v3. As well, if bug 1594235 is implemented, we'll need a separate set for that.

Is

script-src, worker-src, object-src, and style-src

an exhaustive list? More specifically, will frame-src still be allowed to specify remote resources?

(In reply to Vincent from comment #2)

Is

script-src, worker-src, object-src, and style-src

an exhaustive list? More specifically, will frame-src still be allowed to specify remote resources?

It is documented here for Chrome:
https://developer.chrome.com/extensions/migrating_to_manifest_v3

WIP Make sure we can differentiate between V2 and V3 format in order to choose proper base CSP.

Assignee: nobody → mixedpuppy
Status: NEW → ASSIGNED
Attachment #9121440 - Attachment is obsolete: true
Attachment #9121671 - Attachment is obsolete: true

This patch adds CSP validation for manifest v3 changes when parsing the addon manifest.

Blocks: 1685627
Pushed by scaraveo@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/4baef7adb4a4
manifest v3 content security policy support r=robwu,geckoview-reviewers,agi
https://hg.mozilla.org/integration/autoland/rev/76491eab6179
manifest v3 content security validation improvements r=robwu,geckoview-reviewers,agi
https://hg.mozilla.org/integration/autoland/rev/94ae53f11f08
remove extensions.content_script_csp preferences in favor of extensions.manifestV3.enabled r=robwu
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 86 Branch
Pushed by geoff@darktrojan.net:
https://hg.mozilla.org/comm-central/rev/e9afa0fd5d0c
Port bug 1594234 - Remove extension CSP prefs from all-thunderbird.js. rs=bustage-fix
See Also: → 1581611
See Also: → 1789751
You need to log in before you can comment on or make changes to this bug.