Handle <all_urls> used as an API permissions in MV3 properly
Categories
(WebExtensions :: General, enhancement, P2)
Tracking
(Not tracked)
People
(Reporter: zombie, Assigned: zombie, NeedInfo)
References
(Blocks 3 open bugs)
Details
(Whiteboard: [addons-jira])
Unfortunately, we treat <all_urls> as an API permission as well, and those cases will need special handling for bug 1745818.
|
||
Updated•4 years ago
|
|
Assignee | |
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
|
Assignee | |
Comment 1•3 years ago
|
||
It seems we only have a few uses of <all_urls> as an API permission left:
https://searchfox.org/mozilla-central/search?q=all_urlsPermission
https://searchfox.org/mozilla-central/search?q=all_urls&path=components%2Fextensions%2Fschemas
I plan to stop adding it to the api permissions, and instead change the existing checks to origin permissions checks.
|
||
Comment 2•3 years ago
|
||
Other uses:
drawWindowmethod - https://searchfox.org/mozilla-central/rev/0ffae75b690219858e5a45a39f8759a8aee7b9a2/dom/canvas/CanvasUtils.cpp#290- Reading from canvases - https://searchfox.org/mozilla-central/rev/0ffae75b690219858e5a45a39f8759a8aee7b9a2/dom/html/HTMLCanvasElement.cpp#1166-1167
- Cross-origin info in PerformanceObserver - https://searchfox.org/mozilla-central/rev/0ffae75b690219858e5a45a39f8759a8aee7b9a2/dom/performance/PerformanceResourceTiming.cpp#131-133
I think that it's fine to drop the first and third use of <all_urls>, and at most keep the second for extension documents (not content scripts given the efforts at bug 1578405).
|
|
||
Comment 4•3 years ago
|
||
drawWindow is deprecated (bug 1696976) - https://searchfox.org/mozilla-central/rev/dc09246dfbfd8dafeb6d55ebee18a6294d525443/dom/canvas/CanvasRenderingContext2D.cpp#5147-5150
|
|
||
Comment 5•1 year ago
|
||
Note: bug 1957794 has an extension that is most likely affected by this.
At install time, we fix up MV2 <all_urls> permissions at https://searchfox.org/mozilla-central/rev/d602f8558872d133dc9240a01cd25d0898c58e5a/toolkit/components/extensions/Extension.sys.mjs#1921-1923
In MV3, we skip that logic at first, but add origins in _setupStartupPermissions at https://searchfox.org/mozilla-central/rev/d602f8558872d133dc9240a01cd25d0898c58e5a/toolkit/components/extensions/Extension.sys.mjs#3965-3979 . Notably, the special <all_urls> check + addition is missing.
When an optional permission is toggled (whether via about:addons UI or the permissions API), it is added/removed via https://searchfox.org/mozilla-central/rev/d602f8558872d133dc9240a01cd25d0898c58e5a/toolkit/components/extensions/ExtensionPermissions.sys.mjs#415-423
Tom, do you still plan to fix this bug as proposed (replacing use of all_urls API permission with a host permission check), or would the simpler approach of adding <all_urls> from _setupStartupPermissions be acceptable in your opinion?
Description
•