If Firefox translations is enabled, allow JS loads from moz-extensions in the Parent Process
Categories
(Firefox :: Translations, enhancement)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox92 | --- | fixed |
People
(Reporter: tjr, Assigned: tjr)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
|
Bug 1722775: Exempt Firefox Translation users from having their script security checked r?andrenatal
48 bytes,
text/x-phabricator-request
|
Details | Review |
Bug 1582512 is about disallowing javascript to be executed in the parent unless it comes from a trusted source. Part of this includes blocklisting moz-extension URIs if the extension process is enabled. Because we're in warning-only mode, the new translation extensions that load javascript in the parent from a moz-extension URI started (silently) triggering it.
There seem to be multiple translation extensions (moz-extension://[firefox-infobar-ui-bergamot-browser-extension@browser.mt: Firef..., moz-extension://[firefox-translations@mozilla.org: Firefox Translations]/experim... , moz-extension://[bergamot-browser-extension@mozilla.org: Bergamot Translate]/exp...) so for now I'm just going to do a blanket exemption, but will file a follow-up bug to turn it into a more strict allow-list.
|
||
Comment 1•3 years ago
|
||
Are these all mozilla-signed? If so, can they not use the dynamic manifest stuff (addBootstrappedManifestLocation on Components.manager) so they get chrome URIs for the scripts in question? This is what e.g. the autofill system add-on does.
|
Assignee | |
Comment 2•3 years ago
|
||
|
||
Comment 3•3 years ago
|
||
We don't use addBootstrappedManifestLocation anywhere in our code, so tom's patch should be used by now.
Pushed by tritter@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/401ac4496964 Exempt Firefox Translation users from having their script security checked r=andrenatal
|
||
Comment 5•3 years ago
|
||
| bugherder | ||
Description
•