optional_permissions are granted without prompting the user
Categories
(Thunderbird :: Add-Ons: Extensions API, defect)
Tracking
(thunderbird_esr78+ fixed, thunderbird89 wontfix, thunderbird90+ fixed)
People
(Reporter: TbSync, Assigned: TbSync)
Details
Attachments
(2 files)
|
1.12 KB,
application/x-xpinstall
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
wsmwk
:
approval-comm-beta+
wsmwk
:
approval-comm-esr78+
|
Details | Review |
If an add-on requests optional permissions, it should prompt the user to either grant or deny them. Thunderbird silently grants them.
STR:
- install attached add-on (the add-on does not request any permissions)
- click on the Request Permissions browser action button
- observe a notification being popped, so the notifications permission has been granted
- observe the JavaScript console where the "messagesMove" permission is shown to be granted
|
Assignee | |
Comment 1•3 years ago
|
||
Firefox prompts as expected.
|
|
Assignee | |
Comment 2•3 years ago
|
||
|
|
Assignee | |
Comment 3•3 years ago
•
|
||
I do not know if the suggested fix is ok. Feedback is appreciated.
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 4•3 years ago
•
|
||
I will prepare uplift next.
https://treeherder.mozilla.org/#/jobs?repo=try-comm-central&revision=0992145a9aaa9efa6795546072efca9bd2c48ddc
|
|
Assignee | |
Comment 5•3 years ago
|
||
Comment on attachment 9228349 [details]
Bug 1716937 - Fix missing check for optional permissions. r=mkmelin
[Approval Request Comment]
Regression caused by (bug #):
User impact if declined:
Without this fix, add-ons can silently request any permission.
Testing completed (on c-c, etc.):
Risk to taking this patch (and alternatives if risky):
[Approval Request Comment]
Regression caused by (bug #):
User impact if declined:
Without this fix, add-ons can silently request any permission.
Testing completed (on c-c, etc.):
Risk to taking this patch (and alternatives if risky):
|
||
Comment 6•3 years ago
|
||
justdave, this is wanted for 90.0b3.
Magnus, John posted in matrix "I do not think it is actively exploited. Given the fact, that I have not seen it for ATN add-ons, I would stick with the plan to skip it on ESR till 78.12 or 78.11.1 if any other reason comes to release that." ... Thus plan would remain to not do a 78.11.1 because of the small pool of uplifts https://mzl.la/31XnnSF - and bug 1682370 must wait to 78.12. Sound good?
|
|
||
Comment 7•3 years ago
|
||
Comment on attachment 9228349 [details]
Bug 1716937 - Fix missing check for optional permissions. r=mkmelin
[Triage Comment]
Approved for beta - based on the expectation that the patch will have been on nightly for several days by the time we release 90.0b3
|
||
Updated•3 years ago
|
|
|
||
Comment 9•3 years ago
|
||
|
||
Updated•3 years ago
|
|
||
Comment 10•3 years ago
|
||
Thunderbird 90.0b3 (build 2)
https://hg.mozilla.org/releases/comm-beta/rev/81bd71a92c935f443c0e86ed4b2ba6ae0f9b5abb
|
|
||
Comment 11•3 years ago
|
||
Comment on attachment 9228349 [details]
Bug 1716937 - Fix missing check for optional permissions. r=mkmelin
[Triage Comment]
Approved for esr78
|
||
Comment 12•3 years ago
|
||
Thunderbird 78.12.0:
https://hg.mozilla.org/releases/comm-esr78/rev/b810c39fe95c
|
||
Updated•2 years ago
|
Description
•