Open
Bug 1654033
Opened 4 years ago
Updated 4 years ago
Clarify documentation: When to use AddonPolicy / IsAddonOrExpandedAddonPrincipal / AddonAllowsLoad
Categories
(WebExtensions :: General, task, P3)
WebExtensions
General
Tracking
(Not tracked)
NEW
People
(Reporter: robwu, Unassigned)
Details
In https://phabricator.services.mozilla.com/D84179#inline-480028 Gijs remarked that it's not obvious whether and when to use a principal's AddonPolicy
or IsAddonOrExpandedAddonPrincipal
.
In a nutshell:
AddonPolicy
to check if the principal is amoz-extension:
-principal. This principal is entrusted with the privileges to run the full extension API.IsAddonOrExpandedAddonPrincipal
to also allow extension content scripts. Content scripts are only marginally more trusted than web pages. We may drop some privileges from content scripts in the future (bug 1578405).
As a rule of thumb, when deciding on which to use when exposing functionality to extensions:
- For functionality that is very powerful and shouldn't be exposed to (web) content, use
AddonPolicy
. - For functionality that is safe to inadvertently be exposed to web content, or functionality that cannot easily be exposed by content scripts to web content *,
IsAddonOrExpandedAddonPrincipal
may be used. - When backcompat is a concern that can only be resolved by allowing content scripts to access the feature, use
IsAddonOrExpandedAddonPrincipal
- If in doubt, use
AddonPolicy
. It is easier to relax the check and add functionality to content script, than to do the reverse (and remove functionality).
* For example, extensions can easily be tricked by web pages to mutate some DOM (element.innerHTML += ...
) or perform a navigation (location.href ...
). It is not obvious that these operations may carry risk, so it's best to not tie powerful functionality to these operations.
Updated•4 years ago
|
Severity: -- → N/A
Priority: -- → P3
You need to log in
before you can comment on or make changes to this bug.
Description
•