disallow remotely hosted code in extensions
Categories
(WebExtensions :: General, task, P2)
Tracking
(firefox86 fixed)
| Tracking | Status | |
|---|---|---|
| firefox86 | --- | fixed |
People
(Reporter: mixedpuppy, Assigned: mixedpuppy)
References
(Blocks 2 open bugs)
Details
Attachments
(3 files, 2 obsolete files)
Developers can no longer use CSP directives that enable remotely hosted code (code that is not bundled with the extension). Manifests that include such directives will error at parse time.
script-src, worker-src, object-src, and style-src with non-local values are disallowed.
|
Assignee | |
Comment 1•2 years ago
|
||
This will require two sets of csp defaults, one for v2 and one for v3. As well, if bug 1594235 is implemented, we'll need a separate set for that.
Is
script-src, worker-src, object-src, and style-src
an exhaustive list? More specifically, will frame-src still be allowed to specify remote resources?
|
|
Assignee | |
Comment 3•1 year ago
|
||
(In reply to Vincent from comment #2)
Is
script-src, worker-src, object-src, and style-src
an exhaustive list? More specifically, will frame-src still be allowed to specify remote resources?
It is documented here for Chrome:
https://developer.chrome.com/extensions/migrating_to_manifest_v3
|
|
Assignee | |
Comment 4•1 year ago
|
||
WIP Make sure we can differentiate between V2 and V3 format in order to choose proper base CSP.
|
|
Assignee | |
Comment 5•1 year ago
|
||
|
|
Assignee | |
Comment 6•1 year ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=40b471cc121e4854e28b40444e2b80ada56e1f9d
|
||
Updated•1 year ago
|
|
|
Assignee | |
Comment 7•5 months ago
|
||
|
|
||
Updated•5 months ago
|
|
|
||
Updated•5 months ago
|
|
|
Assignee | |
Comment 8•5 months ago
|
||
This patch adds CSP validation for manifest v3 changes when parsing the addon manifest.
|
|
Assignee | |
Comment 9•5 months ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=a5b8fa092066932003822324810e0012bb9a1090
|
|
Assignee | |
Comment 12•5 months ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=0abb5f9f3e20d9219795f978006c319fc6707cda
|
|
Assignee | |
Comment 13•5 months ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=1fb0a55f8a72669f9759a67f5d41f4180a6efb9c
|
|
Assignee | |
Comment 14•5 months ago
|
||
|
|
Assignee | |
Comment 15•5 months ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=767b07cf07c9f1108ac8cee8bd4925ff89ff5d5c
|
||
Comment 16•4 months ago
|
||
Pushed by scaraveo@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/4baef7adb4a4 manifest v3 content security policy support r=robwu,geckoview-reviewers,agi https://hg.mozilla.org/integration/autoland/rev/76491eab6179 manifest v3 content security validation improvements r=robwu,geckoview-reviewers,agi https://hg.mozilla.org/integration/autoland/rev/94ae53f11f08 remove extensions.content_script_csp preferences in favor of extensions.manifestV3.enabled r=robwu
|
||
Comment 17•4 months ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/4baef7adb4a4
https://hg.mozilla.org/mozilla-central/rev/76491eab6179
https://hg.mozilla.org/mozilla-central/rev/94ae53f11f08
|
|
||
Comment 18•4 months ago
|
||
Pushed by geoff@darktrojan.net: https://hg.mozilla.org/comm-central/rev/e9afa0fd5d0c Port bug 1594234 - Remove extension CSP prefs from all-thunderbird.js. rs=bustage-fix
Description
•