Introduce reliable isPrivileged flag in ExtensionData
Categories
(WebExtensions :: General, task, P2)
Tracking
(firefox99 fixed)
Tracking | Status | |
---|---|---|
firefox99 | --- | fixed |
People
(Reporter: robwu, Assigned: robwu)
References
(Blocks 3 open bugs)
Details
(Whiteboard: [addons-jira])
Attachments
(6 files)
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review |
In bug 1733466, a certain manifest feature (l10n_resources
) is limited to privileged extensions. The ExtensionData
class is not aware of the concept of privileged extensions, only the Extension
subclass is.
In bug 1675858, the lack of "isPrivileged" led to the introduction of hacks to avoid depending on the privileged flag for permission parsing, and resulted in skipping some warning messages when related to privileged API permissions. This however does not account for privileged host permissions, and one can still see errors like Reading manifest: Invalid extension permission: about:reader*
from the built-in Screenshots extension on the first run of Firefox.
To reliably support privileged APIs, we need to set the privileged flag before the manifest is parsed by ExtensionData
's parseManifest
. Determing the privileged state depends on the extension's signedState
, which in turn depends on having at least a partially parsed manifest. This cyclic dependency can be broken by separating parseManifest
in two stages:
- A minimal stage that parses the extension type and ID from the manifest.
- The rest of
parseManifest
.
In between, the add-on signature can be determined, which can then be used to set the privileged flag before parsing the rest of the manifest. That means that the computation of the signedState member needs to move to between ExtensionData
construction and loadManifest
(which calls parseManifest
).
By doing so, we can also simplify Extension.jsm
by removing the hacks from bug 1675858.
Updated•3 years ago
|
Updated•3 years ago
|
Assignee | ||
Comment 1•3 years ago
|
||
l10n_resources has bugs that results in errors when enabled for
ExtensionData. In this patch stack we are going to introduce the
isPrivileged property to ExtensionData.
To prevent these errors from being triggered when isPrivileged is added,
replace the "isPrivileged" in this
check with a check against
ExtensionData
.
l10n_resources support in ExtensionData will be added in bug 1733466.
Assignee | ||
Comment 2•3 years ago
|
||
This refactor replaces the aAddon
parameter of verifySignedState
with the minimal parameters needed to perform its functionality.
This enables us to compute signedState without requiring a fully
initialized AddonInternal instance.
Assignee | ||
Comment 3•3 years ago
|
||
See https://bugzilla.mozilla.org/show_bug.cgi?id=1734987#c0 for the
description of the why and how of this patch.
Since isPrivileged is now supported on ExtensionData, this patch also
removes the work-arounds from bug 1675858.
Assignee | ||
Comment 4•3 years ago
|
||
addon.isPrivileged and extension.isPrivileged are currently almost
identical, except in the case of temporary extensions when experiments
are enabled.
This difference is inexplicable for those unfamiliar with the history,
so this patch makes them identical.
addon.isPrivileged was introduced in bug 1543204 to support hidden
add-ons, which was intended to be used by privileged add-ons only.
Hence, this patch updates the "hidden" getter to continue ignoring the
hidden flag for temporary add-ons.
With this change, the addon.isPrivileged check can be removed from
loadManifestFromWebManifest, in favor of checking extension.isPrivileged
at the location where addon.hidden is initialized for the first (and now
only) time.
Assignee | ||
Comment 5•3 years ago
|
||
During updates, isPrivileged was not set correctly, which resulted in
incorrect error messages (warnings about unsupported permissions) when a
privileged/builtin extension was updated (a variant of bug 1675858).
In the previous patch (part 3), isPrivileged was added to the
ExtensionData constructor, and also passed to BootstrapScope calls,
so we can use that here to.
The unit test here serves two purposes:
- Primarily: test coverage for the correctness of isPrivileged in the
update scenario. - Test coverage for the existence and order of ExtensionAPI's onUpdate
calls. There is no unit test for this mechanism right now, only
indirect tests.
Updated•3 years ago
|
Assignee | ||
Comment 6•3 years ago
|
||
Although the default value for isPrivileged is false in the
ExtensionData constructor, let's add the explicit value (false) so that
it's obvious that the default value is intended.
Updated•3 years ago
|
Comment 8•3 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/0152446140c4
https://hg.mozilla.org/mozilla-central/rev/01047f2fcc85
https://hg.mozilla.org/mozilla-central/rev/5ed31aa8b156
https://hg.mozilla.org/mozilla-central/rev/3c50643923f0
https://hg.mozilla.org/mozilla-central/rev/d02e0c5d2f3e
https://hg.mozilla.org/mozilla-central/rev/ab302ff25a5f
Description
•