Open Bug 1707107 Opened 4 years ago Updated 2 months ago

tabs.executeScript with code has "sandbox eval code" as filename in stack trace and CSP violation reports

Categories

(WebExtensions :: General, task, P3)

Product:
WebExtensions
Component:
General
Type:
task

Tracking

(Not tracked)

People

(Reporter: robwu, Unassigned)

References

(Blocks 2 open bugs)

Details

browser.tabs.executeScript({code: "console.log(new Error().stack)"})
shows:
@sandbox eval code:1:1

In CSP violation reports, the sourceFile field is "sandbox eval code".
If we were to try and fix bug 1588957 by filtering reports with sourceFile moz-extension:, then the logic wouldn't work because of this.

This string was introduced in https://hg.mozilla.org/mozilla-central/rev/a2f7185ec909 (bug 1577407) without unit test, but the immediate trigger for the snippet has been removed in https://hg.mozilla.org/mozilla-central/rev/f560d280f658584218a828e8dd7697fbfa809199 (bug 1673328). Consequently, the string "sandbox eval code" does not serve any clear purpose. For example, it could be changed to a dummy value moz-extension://00000000-0000-0000-0000-000000000000/executeScript without triggering any test failure.

It seems like it could be useful to change that to use the moz-ext url as you suggest, though the real uuid.

Severity: -- → N/A
Priority: -- → P3
See Also: → 1900410
Blocks: 1651557
See Also: → 1910624
You need to log in before you can comment on or make changes to this bug.