1813789 - See if the translations worker can be moved from a ChromeWorker to an unprivileged Worker

Status: NEW

(Firefox :: Translation, task, P3)

Description

[Greg Tatum [:gregtatum]]

Any worker created in a chrome-privileged principal will inherit the privileges. The translations worker doesn't need chrome privileges since it's just running a wasm blob that transforms a string into a string.

Here you can see the various ChromeUtils a ChromeWorker has access to: https://searchfox.org/mozilla-central/rev/7a9e3bbab8f81c2cbc72a394047f948da9cfef9a/dom/chrome-webidl/ChromeUtils.webidl#73-260

It would be nice if we could figure out a way to load a Worker without the privileges. One immediate issue with accomplishing this is the same-origin rule gets in the way of loading a resource:// URL from a content page.

For instance, in about:translations the origin is reported as "null" and invoking the worker on the content-side of the page causes a same-origin error to be thrown when loading the worker at a resource:// or chrome:// URL.

While about:translations we are in control of the content side of the page, on the general web we are not, and so this may not be feasible for the Worker to run on the content side, but I'm not sure. This needs to be investigated, as it would be a clear security win if we can lock down the Worker.

Comment 1

[Greg Tatum [:gregtatum]]

This blocks MVP so that we can at least decide on this through a security review, plus check on the feasibility.