1594234 - disallow remotely hosted code in extensions

Status: RESOLVED FIXED

(WebExtensions :: General, task, P2)

Description

[Shane Caraveo (:mixedpuppy)]

Developers can no longer use CSP directives that enable remotely hosted code (code that is not bundled with the extension). Manifests that include such directives will error at parse time.

script-src, worker-src, object-src, and style-src with non-local values are disallowed.

Comment 1

[Shane Caraveo (:mixedpuppy)]

This will require two sets of csp defaults, one for v2 and one for v3. As well, if bug 1594235 is implemented, we'll need a separate set for that.

Comment 2

[Vincent]

Is

script-src, worker-src, object-src, and style-src

an exhaustive list? More specifically, will frame-src still be allowed to specify remote resources?

Comment 3

[Shane Caraveo (:mixedpuppy)]

(In reply to Vincent from comment #2)

Is

script-src, worker-src, object-src, and style-src

an exhaustive list? More specifically, will frame-src still be allowed to specify remote resources?

It is documented here for Chrome:
https://developer.chrome.com/extensions/migrating_to_manifest_v3

Comment 4

[Shane Caraveo (:mixedpuppy)]

Attachment: Bug 1594234 make use of V3 format for CSP deterministic

WIP Make sure we can differentiate between V2 and V3 format in order to choose proper base CSP.

Comment 5

[Shane Caraveo (:mixedpuppy)]

Attachment: Bug 1594234 support manifest V3 specific base CSP

Comment 6

[Shane Caraveo (:mixedpuppy)]

https://treeherder.mozilla.org/#/jobs?repo=try&revision=40b471cc121e4854e28b40444e2b80ada56e1f9d

Comment 7

[Shane Caraveo (:mixedpuppy)]

Attachment: Bug 1594234 manifest v3 content security policy support

Comment 8

[Shane Caraveo (:mixedpuppy)]

Attachment: Bug 1594234 manifest v3 content security validation improvements

This patch adds CSP validation for manifest v3 changes when parsing the addon manifest.

Comment 9

[Shane Caraveo (:mixedpuppy)]

https://treeherder.mozilla.org/#/jobs?repo=try&revision=a5b8fa092066932003822324810e0012bb9a1090

Comment 12

[Shane Caraveo (:mixedpuppy)]

https://treeherder.mozilla.org/#/jobs?repo=try&revision=0abb5f9f3e20d9219795f978006c319fc6707cda

Comment 13

[Shane Caraveo (:mixedpuppy)]

https://treeherder.mozilla.org/#/jobs?repo=try&revision=1fb0a55f8a72669f9759a67f5d41f4180a6efb9c

Comment 14

[Shane Caraveo (:mixedpuppy)]

Attachment: Bug 1594234 remove extensions.content_script_csp preferences in favor of extensions.manifestV3.enabled

Comment 15

[Shane Caraveo (:mixedpuppy)]

https://treeherder.mozilla.org/#/jobs?repo=try&revision=767b07cf07c9f1108ac8cee8bd4925ff89ff5d5c

Comment 16

[Pulsebot]

Pushed by scaraveo@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/4baef7adb4a4
manifest v3 content security policy support r=robwu,geckoview-reviewers,agi
https://hg.mozilla.org/integration/autoland/rev/76491eab6179
manifest v3 content security validation improvements r=robwu,geckoview-reviewers,agi
https://hg.mozilla.org/integration/autoland/rev/94ae53f11f08
remove extensions.content_script_csp preferences in favor of extensions.manifestV3.enabled r=robwu

Comment 17

[Natalia Csoregi [:nataliaCs]]

https://hg.mozilla.org/mozilla-central/rev/4baef7adb4a4
https://hg.mozilla.org/mozilla-central/rev/76491eab6179
https://hg.mozilla.org/mozilla-central/rev/94ae53f11f08

Comment 18

[Pulsebot]

Pushed by geoff@darktrojan.net:
https://hg.mozilla.org/comm-central/rev/e9afa0fd5d0c
Port bug 1594234 - Remove extension CSP prefs from all-thunderbird.js. rs=bustage-fix