Closed Bug 1809235 Opened 2 years ago Closed 2 years ago

Require manifest_version 3 extension to request an explicit manifest permission to be allowed to use webRequest.filterResponseData

Categories

(WebExtensions :: Request Handling, task, P2)

task

Tracking

(firefox110 fixed)

RESOLVED FIXED
110 Branch
Tracking Status
firefox110 --- fixed

People

(Reporter: rpl, Assigned: rpl)

References

Details

(Keywords: dev-doc-complete, Whiteboard: [addons-jira])

Attachments

(2 files)

An explicit permission (one that wouldn't be listed in the permissions shown to the users in the install prompt, especially given the technical nature of the actual feature) would allow us to more easily and quickly double-check which extensions are using webRequest.filterResponseData, and through that API being able to read and/or temper the response bodies.

We are going to require the new manifest permissions only for manifest_version 3 extensions, while manifest_version 2 extensions are still going to be allowed to call webRequest.filterResponseData without the need to explicitly request the new permission in their manifest (but we would still accept the permission in MV2 extension if actually requested).

Summary: Request manifest_version 3 extension to request an explicit manifest permission to be allowed to use webRequest.filterResponseData → Require manifest_version 3 extension to request an explicit manifest permission to be allowed to use webRequest.filterResponseData

Not strictly related to this bugzilla issue, but while I was updating this test file accordingly
to the other changes needed for this bugzilla issue, I did notice this test was slower to complete
than how much I was expecting.

The underlying issue was that the call to extension.terminateBackground was missing the
disableResetIdleForTest and so terminateBackground was exiting earlier due to pending
api event listeners calls (which was expected given that we were just firing webRequest
events) and the event page was actually being suspended after an additional idle timeout.

Assignee: nobody → lgreco
Status: NEW → ASSIGNED
Severity: -- → N/A
Priority: -- → P2

We'll need to add the new permission, named "webRequestFilterResponse":

  • for MV3 extension: the new permission is required to be allowed to successfully call webRequest.filterResponseData (if the permission is not granted the method is going to throw an explicit error for the missing permission)
  • for MV2 extensions: the new permission is not required (but in Firefox versions where the attached patches will be landed, it would still be recognized as a valid permission if requested by an MV2 extensions)

We should update the following MDN pages:

and the following MDN's browser-compat-data json files:


Given that we are going to add "webRequestFilterResponse" permission to cover the dev-docs-needed keyword on this bug, we should also add "webRequestFilterResponse.serviceWorkerScript", which was introduced in Bug 1636629 and it does also apply to MV2 extensions:

  • "webRequestFilterResponse.serviceWorkerScript" is a permission required to allow an extension (both MV2 or MV3) to use webRequest.filterResponseData API method on intercepted requests originated for service worker scripts (e.g. the main service worker script or scripts imported from the service workers using importScripts)
  • once this bug will be landed, an MV3 extension that wants to use webRequest.filterResponseData on intercepted requests originated for service worker scripts will have to request both "webRequestFilterResponse" and "webRequestFilterResponse.serviceWorkerScript"

The MDN pages and MDN's browser-compat-data JSON files to be updated are the same listed above in this comment.

Keywords: dev-doc-needed
Pushed by luca.greco@alcacoop.it:
https://hg.mozilla.org/integration/autoland/rev/2ca67b639c9c
Fix terminateBackground call missing disableResetIdleForTest in test_ext_webRequest_eventPage_StreamFilter.js. r=willdurand
https://hg.mozilla.org/integration/autoland/rev/67eb98f6ffc6
Require an explicit webRequestFilterResponse data permission for MV3 extension to be allowed to call filterResponseData. r=willdurand
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 110 Branch
Flags: needinfo?(lgreco)

Thanks Richard, I just looked both and submitted a couple of review comments, the BCD one seems to have been already merged but there is a detail that I noticed that I'd like us to double-check and fix in the BCD repo with a followup issue and PR:

Flags: needinfo?(lgreco)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: