Closed Bug 1766881 Opened 5 months ago Closed 24 days ago

Remove object-src requirement from the extension CSP, at least in MV3

Categories

(WebExtensions :: General, task, P3)

task

Tracking

(firefox106 fixed)

RESOLVED FIXED
106 Branch
Tracking Status
firefox106 --- fixed

People

(Reporter: robwu, Assigned: robwu)

References

(Blocks 1 open bug)

Details

(Keywords: dev-doc-complete, Whiteboard: [addons-jira][wecg])

Attachments

(1 file)

object-src is not useful in the extension CSP. Plugin support has been removed from Firefox, and there is consensus in the WECG to remove this.

For context, benefits and rationale behind the removal of object-src from the extension's CSP, see https://github.com/w3c/webextensions/issues/204.

Severity: -- → N/A
Priority: -- → P3
Assignee: nobody → rob
Blocks: 1581608

object-src used to be required because it controls plugins, and we did
not want to load unsafe sources as plugins. With NPAPI plugin support
having been dropped a long time ago, this reason no longer exist.
The requirement for "secure" object-src CSP directive meant that
extensions had to specify a boilerplate object-src if they wanted to
modify script-src.

This patch removes the object-src requirement from extension CSP,
which simplifies the usage and learning curve of CSP usage in
extensions.

With this change, extensions can now load "unsafe" (remote) content
via <embed> and <object> tags. This relaxation does not reduce
the security because this was already possible with <iframe> tags.

Pushed by rob@robwu.nl:
https://hg.mozilla.org/integration/autoland/rev/930ba77bcee7
Drop object-src requirement from extension CSP r=mixedpuppy
Status: NEW → RESOLVED
Closed: 24 days ago
Resolution: --- → FIXED
Target Milestone: --- → 106 Branch

I have updated the documentation at https://github.com/mdn/content/pull/20437

This should still be documented in the BCD entry and changelog (Firefox 106 for developers).

Keywords: dev-doc-needed

Documentation updates completed in PR #21190 and browser compatibility data changes in PR #17901

You need to log in before you can comment on or make changes to this bug.