Remove CSP_ALLOW_LOCALHOST and the special case for http:-localhost from the MV2 base CSP
Categories
(WebExtensions :: General, task, P3)
Tracking
(Not tracked)
People
(Reporter: robwu, Unassigned)
References
Details
In bug 1789751 I dropped support for the localhost exception in the MV3 CSP.
Out of caution I did not remove localhost from the MV2 base CSP. However, we should probably remove it, because it is probably not needed. It is not documented, and any MV2 extensions that try to load a localhost script have alternatives available (such as 'unsafe-eval').
The uses of CSP_ALLOW_LOCALHOST (Ci.nsIAddonContentPolicy.CSP_ALLOW_LOCALHOST) across the codebase should also be removed.
The bitfield that is freed up by it can be re-purposed for bug 1685123.
As noted in bug 1789751, the removal of localhost from our base CSP can allow us to block unexpected script sources in the extension process. Even if it is http to start with.
With that, we can also reject http(s) script loads in extensions, even at the process level (e.g. like what
CheckAllowLoadInSystemPrivilegedContextdoes for the system principal).
|
Reporter | |
Comment 1•2 years ago
|
||
127.0.0.1 and localhost are already explicitly documented to be unsupported in the BCD, so it should be safe to remove them them from the implementation.
|
||
Updated•2 years ago
|
|
||
Comment 2•2 years ago
|
||
Hi, would this change prevent use of a localhost dev server (e.g. Vite) when developing a MV2 extension? If so, I would consider that a very bad idea in terms of DX.
|
|
Reporter | |
Comment 3•1 year ago
|
||
We have decided to be in favor of allowing localhost/127.0.0.1 script loads in temporarily loaded add-ons, see https://bugzilla.mozilla.org/show_bug.cgi?id=1864284#c3
Description
•