Fix permission strings for file:// and other non-host origins
Categories
(Toolkit :: Add-ons Manager, defect, P3)
Tracking
()
People
(Reporter: zombie, Unassigned)
References
Details
(Whiteboard: [addons-jira])
Currently the file://*/* origin permission gets the same permission string as <all_urls>, which while better than nothing, is far from ideal, and unusable for optional permissions.
Similarly for about:*, resource:// and other non-host origins, though since they're only allowed in privileged addons, we could decide to not even show them.
Other option is to stop using the descriptive permission strings and just show origins/match patterns in optional origins.
|
Reporter | |
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
||
Comment 1•3 years ago
|
||
In Chrome file:-access is opt in, and the presence of the file permission reveals a checkbox where the iser can grant access to local files, even through fetch/XHR.
In Firefox, file permissions only unlock content script access. Extensions cannot open file:-URLs on their own, nor fetch file:-URLs.
I wouldn't mind making file access opt-in too. That would also be a way to address this bug.
|
|
Reporter | |
Comment 2•3 years ago
|
||
(In reply to Tomislav Jovanovic :zombie from comment #0)
Other option is to stop using the descriptive permission strings and just show origins/match patterns in optional origins.
Relatedly: https://phabricator.services.mozilla.com/D144070#inline-795446
|
||
Updated•3 years ago
|
Description
•