support use_dynamic_url in web_accessible_resources
Categories
(WebExtensions :: General, enhancement, P2)
Tracking
(Not tracked)
People
(Reporter: mixedpuppy, Unassigned)
References
(Blocks 2 open bugs)
Details
(Whiteboard: mv3:m2 [mv3-m2] )
use_dynamic_url is not fully documented(?) or implemented in chrome, however, the assumption is that it would cause that resource to be accessible by something akin to our use of a per-profile uuid based origin.
In our case, everything is already that, however we may want to consider supporting use_dynamic_url as a way to "turn off" this for a particular resource, and allowing a moz-extension://extension-id/ origin. This would simplify use cases where an addon integrates with a website.
mv3:m1: decide if we want to do that
mv3:future: implement.
|
Reporter | |
Updated•3 years ago
|
|
|
Reporter | |
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Comment 1•2 years ago
|
||
Support for use_dynamic_url has landed in Chrome: https://bugs.chromium.org/p/chromium/issues/detail?id=1133624#c28
|
||
Comment 2•1 year ago
|
||
In our case, everything is already that
Not quite! Chrome's dynamic url in manifest v3 is per-session, like Safari's, not per-install like ours.
https://developer.chrome.com/docs/extensions/mv3/manifest/web_accessible_resources/
If a Firefox extension leaks a resource into content—like bug 1717672 mentioned above—then web pages get a stable unique fingerprint for that user that undercuts every other attempt at anonymity we do. I don't see any reason to support the "false" state as an opt-out, it's just a bad idea for extensions to code themselves that way. I haven't heard any noises about Safari wanting to support that. Doesn't make a lot of sense to support a "true" state and still also support our current non-dynamic UUID. We should just switch to an "always dynamic" UUID like Safari.
For clarification purposes:
-
With
use_dynamic_url, wouldbrowser.runtime.getURL('')point to the real or dynamic UUID? -
Would a
<style>element inside a shadow DOM with{mode: 'closed'}leak UUID?
▼ #shadow-root (closed)
<style>@import "moz-extension://f5d...411/shadow.css";</style>
|
|
||
Comment 4•3 months ago
|
||
(In reply to Rob Wu [:robwu] from comment #1)
Support for use_dynamic_url has landed in Chrome: https://bugs.chromium.org/p/chromium/issues/detail?id=1133624#c28
FYI: While the manifest key has shipped, runtime.getURL() still returns the static extension URL in Chrome, which reduces the usefulness of use_dynamic_url, especially from the perspective of perceived privacy.
- https://source.chromium.org/chromium/chromium/src/+/main:extensions/renderer/api/runtime_hooks_delegate.cc;l=172-178;drc=05bf2f656ba75f107b4a8c665e5d74d13c956119
- External comment calling out this missing aspect in Chrome: https://bugs.chromium.org/p/chromium/issues/detail?id=1133624#c31
I've asked the team at Chromium for an update on their support and will update here when there is any news.
|
|
||
Comment 5•2 months ago
|
||
(In reply to Rob Wu [:robwu] from comment #4)
(In reply to Rob Wu [:robwu] from comment #1)
Support for use_dynamic_url has landed in Chrome: https://bugs.chromium.org/p/chromium/issues/detail?id=1133624#c28
I've asked the team at Chromium for an update on their support and will update here when there is any news.
Launch bug is https://issues.chromium.org/issues/324975819
|
|
||
Comment 6•13 days ago
|
||
Chrome wants to ship this by Q4 this year: https://issues.chromium.org/issues/40151106#comment35
Description
•