Closed
Bug 1685627
Opened 4 years ago
Closed 2 years ago
Look into setting our base csp on workers created from addons
Categories
(WebExtensions :: General, enhancement, P2)
WebExtensions
General
Tracking
(firefox104 fixed)
RESOLVED
FIXED
104 Branch
Tracking | Status | |
---|---|---|
firefox104 | --- | fixed |
People
(Reporter: mixedpuppy, Assigned: rpl)
References
(Blocks 1 open bug, Regressed 1 open bug)
Details
(Keywords: sec-want, Whiteboard: mv3:m2 [mv3-m2] [adv-main104-])
Attachments
(1 file)
CSP is not inherited (bug 1413492) so we will need to look at what should be done to set proper csp limitations on them.
Comment 1•4 years ago
|
||
Do you have a test case?
I forgot to, but I meant to file a bug about new Worker(url)
being able to load a worker with the origin of the given URL, despite the caller origin being a moz-extension:-URL. That is, an extension with the right host permission is able to load a cross-origin worker. This may not entirely be desired...
CSP directive worker-src is enforced for the URL for the Worker constructor (despite cross-origin Workers not being desired behavior).
Reporter | ||
Updated•3 years ago
|
Whiteboard: mv3:m2
Reporter | ||
Updated•3 years ago
|
Whiteboard: mv3:m2 → mv3:m2 [mv3-m2]
Updated•3 years ago
|
See Also: → https://jira.mozilla.com/browse/WEBEXT-12
Updated•3 years ago
|
Points: --- → 5
Updated•2 years ago
|
Whiteboard: mv3:m2 [mv3-m2] → mv3:m2 [mv3-m2]
Assignee | ||
Comment 2•2 years ago
|
||
Updated•2 years ago
|
Assignee: nobody → lgreco
Status: NEW → ASSIGNED
Pushed by luca.greco@alcacoop.it: https://hg.mozilla.org/integration/autoland/rev/53c490e52eb6 Use extension CSP for workers with a moz-extension url. r=asuth,mixedpuppy
Comment 4•2 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox104:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 104 Branch
Updated•2 years ago
|
Whiteboard: mv3:m2 [mv3-m2] → mv3:m2 [mv3-m2] [adv-main104-]
You need to log in
before you can comment on or make changes to this bug.
Description
•