Open Bug 1654033 Opened 4 years ago Updated 4 years ago

Clarify documentation: When to use AddonPolicy / IsAddonOrExpandedAddonPrincipal / AddonAllowsLoad

Categories

(WebExtensions :: General, task, P3)

task

Tracking

(Not tracked)

People

(Reporter: robwu, Unassigned)

Details

In https://phabricator.services.mozilla.com/D84179#inline-480028 Gijs remarked that it's not obvious whether and when to use a principal's AddonPolicy or IsAddonOrExpandedAddonPrincipal.

In a nutshell:

  • AddonPolicy to check if the principal is a moz-extension:-principal. This principal is entrusted with the privileges to run the full extension API.
  • IsAddonOrExpandedAddonPrincipal to also allow extension content scripts. Content scripts are only marginally more trusted than web pages. We may drop some privileges from content scripts in the future (bug 1578405).

As a rule of thumb, when deciding on which to use when exposing functionality to extensions:

  • For functionality that is very powerful and shouldn't be exposed to (web) content, use AddonPolicy.
  • For functionality that is safe to inadvertently be exposed to web content, or functionality that cannot easily be exposed by content scripts to web content *,IsAddonOrExpandedAddonPrincipal may be used.
  • When backcompat is a concern that can only be resolved by allowing content scripts to access the feature, use IsAddonOrExpandedAddonPrincipal
  • If in doubt, use AddonPolicy. It is easier to relax the check and add functionality to content script, than to do the reverse (and remove functionality).

* For example, extensions can easily be tricked by web pages to mutate some DOM (element.innerHTML += ...) or perform a navigation (location.href ...). It is not obvious that these operations may carry risk, so it's best to not tie powerful functionality to these operations.

Severity: -- → N/A
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.