1685123 - implement manifest sandbox support

Status: ASSIGNED

(WebExtensions :: General, enhancement, P3)

Description

[Shane Caraveo (:mixedpuppy)]

with manifest v3 csp changes, the sandbox functionality becomes important as a way to allow extensions to continue using javascript frameworks that still use eval or other eval-like constructs. We should support sandbox for those use cases.

https://developer.chrome.com/docs/extensions/mv3/manifest/sandbox/

Comment 1

[Shane Caraveo (:mixedpuppy)]

Attachment: Bug 1685123 part 1: sandboxed extensions pages are allowed to load their own resources

Comment 2

[Shane Caraveo (:mixedpuppy)]

https://treeherder.mozilla.org/#/jobs?repo=try&revision=8f6a242f867ceb46f5ffe9d49da5a74925cec52f

Comment 3

[Shane Caraveo (:mixedpuppy)]

Attachment: Bug 1685123 add sandbox to extension manifest and policy

Comment 4

[Shane Caraveo (:mixedpuppy)]

Attachment: Bug 1685123 apply sandbox base csp to sandboxed pages

Comment 5

[Shane Caraveo (:mixedpuppy)]

Attachment: Bug 1685123 part 4: apply sandbox csp from the extension manifest if defined

Comment 7

[Shane Caraveo (:mixedpuppy)]

This bug is going on hold for now, we will revisit whether we want to support sandbox sometime down the road. part 1 might be something we split out to its own bug.

Comment 8

[Phabricator Automation]

Comment on attachment 9195509 [details]
Bug 1685123 part 1: sandboxed extensions pages are allowed to load their own resources

Revision D100834 was moved to bug 1700762. Setting attachment 9195509 [details] to obsolete.

Comment 9

[BugBot [:suhaib / :marco/ :calixte]]

The following patch is waiting for review from an inactive reviewer:

ID	Title	Author	Reviewer Status
D101241	Bug 1685123 apply sandbox base csp to sandboxed pages	mixedpuppy	robwu: Inactive

:mixedpuppy, could you please find another reviewer or abandon the patch if it is no longer relevant?

For more information, please visit auto_nag documentation.

Comment 10

[Suhaib Mujahid [:suhaib]]

Sorry for the noise, there was a problem with a Bugzilla API that caused the bot to think more people were inactive than normal (bug 1789646).

Comment 12

[swleefers]

Would this sandbox allow for extensions that do browser automation, i.e. extensions that can execute Javascript received from a (trusted) native application? It is currently possible to have a native application send Javascript code for an extension to execute, which is mighty useful. It is code existing on the user's computer, sent to the Firefox extension by a native application that already has local execution privileges, so there is no real escalation of privileges by the extension's ability to do eval, as I understand it. (Eval is currently needed for that in combination with native messaging.)