Closed Bug 1897113 Opened 29 days ago Closed 17 days ago

Content scripts should only run in blob:-URLs if match_origin_as_fallback is true

Categories

(WebExtensions :: General, enhancement)

enhancement

Tracking

(firefox128 fixed)

RESOLVED FIXED
128 Branch
Tracking Status
firefox128 --- fixed

People

(Reporter: robwu, Assigned: robwu)

References

(Blocks 1 open bug)

Details

(Keywords: dev-doc-needed, Whiteboard: [addons-jira])

Attachments

(1 file)

Currently, we run content scripts in blob:-URLs if the document that created it matches the matches pattern of a content script. This behavior is undocumented, and was not covered by unit tests until I added them in https://hg.mozilla.org/mozilla-central/rev/1eabe598552b (part of bug 1853411).

In contrast, Chrome only permits it if match_origin_as_fallback is also set to true. In Firefox we implemented this feature recently in bug 1853411, so we should also lock blob:-scripting to extensions that specify match_origin_as_fallback.

Because this change may affect compatibility, we should add a pref to enable us or users to revert the feature. If there are no significant regressions, we should eventually remove the preference.

Assignee: nobody → rob
Status: NEW → ASSIGNED
Blocks: 1899134
Pushed by rob@robwu.nl:
https://hg.mozilla.org/integration/autoland/rev/998822f95cec
Require match_origin_as_fallback for blob:-URLs r=rpl
Keywords: dev-doc-needed
Status: ASSIGNED → RESOLVED
Closed: 17 days ago
Resolution: --- → FIXED
Target Milestone: --- → 128 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: