(In reply to Daniel Veditz [:dveditz] from comment #2)
My personal feeling is that we shouldn't have privileged sites at all (it's not fair, it adds attack surface) but currently
restrictedDomains is more about the install and remote-troubleshooting permissions, as well as sync/FxA. UITour is fairly benign -- or at least it has been. We keep adding capabilities to it and I don't know what kind of review those go through.
I watch the changes to the directory and usually review the changes but occasionally I don't get flagged e.g.
I guess my concern would be more about what new things were added to UITour for Monitor (that any hacked UITour site could also use) than whether Monitor itself should be granted that permission.
I don't think we will add anything new for Monitor.
But also, if Monitor is going to be one of the privileged sites what are the access controls for the site, who can change its content, and what kind of review process those changes have? I assume monitor has had a RRA. Have things changed since then such that we should do a new RRA or does the old one still cover things?
I'll let Lesley answer this.
Having a web page be able to open
about:logins gives me a nagging worry. I don't consciously know what that's about yet, but I've learned to pay attention to that feeling. Clickjacking the "Copy" button? Making sure someone's entered their master password before doing some kind of auto-password-fill attack (then using XSS on the victim sites)?
UITour doesn't currently allow opening about:logins directly, I pushed back against that when it was wanted for https://www.mozilla.org/firefox/lockwise/ as I was also concerned about clickjacking issues. Instead it can open the menu with the Logins and Passwords menu item highlighted (click "Open in Firefox" on that page). Since it requires a click before opening about:logins, do you think it's fine to grant the uitour permission if the access control to the Monitor repo is locked down?
I had suggested to Luke that an alternative would be using a WebChannel specific to https://monitor.firefox.com with only the ability to highlight the menu though that may be more complicated since UITour assumes it was invoked from the DOM API.