Closed Bug 1685627 Opened 4 years ago Closed 2 years ago

Look into setting our base csp on workers created from addons

Tracking

(firefox104 fixed)

Status:

RESOLVED FIXED

Milestone:

104 Branch

Tracking Flags:

Tracking

Status

firefox104

---

fixed

People

(Reporter: mixedpuppy, Assigned: rpl)

References

(Blocks 1 open bug, Regressed 1 open bug)

Details

(Keywords: sec-want, Whiteboard: mv3:m2 [mv3-m2] [adv-main104-])

Attachments

(1 file)

Bug 1685627 - Use extension CSP for workers with a moz-extension url. 2 years ago Luca Greco [:rpl] [:luca] [:lgreco] 48 bytes, text/x-phabricator-request		Details \| Review

Shane Caraveo (:mixedpuppy)

Reporter

Description

•

4 years ago

CSP is not inherited (bug 1413492) so we will need to look at what should be done to set proper csp limitations on them.

Rob Wu [:robwu]

Comment 1

•

4 years ago

Do you have a test case?

I forgot to, but I meant to file a bug about new Worker(url) being able to load a worker with the origin of the given URL, despite the caller origin being a moz-extension:-URL. That is, an extension with the right host permission is able to load a cross-origin worker. This may not entirely be desired...

CSP directive worker-src is enforced for the URL for the Worker constructor (despite cross-origin Workers not being desired behavior).

Rob Wu [:robwu]

Updated

•

3 years ago

Updated

•

3 years ago

Whiteboard: mv3:m2

Shane Caraveo (:mixedpuppy)

Reporter

Updated

•

3 years ago

Whiteboard: mv3:m2 → mv3:m2 [mv3-m2]

Julien Chaupitre

Updated

•

3 years ago

See Also: → https://jira.mozilla.com/browse/WEBEXT-12

Julien Chaupitre

Updated

•

3 years ago

Points: --- → 5

Julien Chaupitre

Updated

•

2 years ago

Whiteboard: mv3:m2 [mv3-m2] → mv3:m2 [mv3-m2]

Daniel Veditz [:dveditz]

Updated

•

2 years ago

Keywords: sec-want

Rob Wu [:robwu]

Updated

•

2 years ago

Comment 2

•

2 years ago

Attached file Bug 1685627 - Use extension CSP for workers with a moz-extension url. — Details

Phabricator Automation

Updated

•

2 years ago

Assignee: nobody → lgreco

Status: NEW → ASSIGNED

Pulsebot

Comment 3

•

2 years ago

Pushed by luca.greco@alcacoop.it:
https://hg.mozilla.org/integration/autoland/rev/53c490e52eb6
Use extension CSP for workers with a moz-extension url. r=asuth,mixedpuppy

Marian-Vasile Laza

Comment 4

•

2 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/53c490e52eb6

Status: ASSIGNED → RESOLVED

Closed: 2 years ago

status-firefox104: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → 104 Branch

Natalia Csoregi [:nataliaCs]

Updated

•

2 years ago

Regressions: 1776962

Tom Ritter [:tjr] (OOTO until mid-August)

Updated

•

2 years ago

Whiteboard: mv3:m2 [mv3-m2] → mv3:m2 [mv3-m2] [adv-main104-]

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Look into setting our base csp on workers created from addons

Categories

(WebExtensions :: General, enhancement, P2)

Tracking

(firefox104 fixed)

People

(Reporter: mixedpuppy, Assigned: rpl)

References

(Blocks 1 open bug, Regressed 1 open bug)

Details

(Keywords: sec-want, Whiteboard: mv3:m2 [mv3-m2] [adv-main104-])

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Updated

Updated

Updated

Updated

Updated

Updated

Updated

Updated

Comment 2

Updated

Comment 3

Comment 4

Updated

Updated

Attachment

General

Description

File Name

Content Type