Open
Bug 1767798
Opened 3 years ago
Updated 1 year ago
Restrict privileged contexts of manifest v3 WebExtension from loading type *SCRIPT* via HTTP, HTTPS
Categories
(Core :: DOM: Security, task, P2)
Core
DOM: Security
Tracking
()
ASSIGNED
People
(Reporter: freddy, Assigned: freddy)
References
(Depends on 1 open bug)
Details
(Whiteboard: [domsecurity-active])
The idea is to block loading scripts via HTTP/HTTPS from privileged extension content (background scripts, background pages, etc.). This would turn some of the policy restrictions for WebExtensions into runtime-enforcement.
It should be possible to create a new set of pre-request restrictions in DoContentSecurityChecks
and inspect the Principal's AddonPolicy (and thus manifestVersion).
P.S:We did something quite similar for the SystemPrincipal context (bug 1767395) and are doing the same for privileged about pages (bug 1767581).
Updated•3 years ago
|
Priority: -- → P2
Whiteboard: [domsecurity-active]
You need to log in
before you can comment on or make changes to this bug.
Description
•