Move away from internal data:-URL in scripting.executeScript + world:MAIN implementation
Categories
(WebExtensions :: General, enhancement, P2)
Tracking
(firefox128 fixed, firefox129 fixed)
People
(Reporter: robwu, Assigned: robwu)
References
Details
(Whiteboard: [addons-jira])
Attachments
(4 files)
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
phab-bot
:
approval-mozilla-beta+
|
Details | Review |
48 bytes,
text/x-phabricator-request
|
phab-bot
:
approval-mozilla-beta+
|
Details | Review |
In bug 1736575, I introduced the use of a data:-URL in order to have a way to get a PrecompiledScript that can execute independently of the page's CSP (https://phabricator.services.mozilla.com/D211869).
The downside to a data:-URL is that the full script source appears when any callee (potentially from the web page) examines the stack trace, in new Error().stack
.
An upside to the current implementation in comparison to the evalInSandbox
implementation used for other content script execution is that the data:-URL uniquely identifies the script, so it appears correctly in the debugger. In contrast, the "filename" "sandbox eval code" is currently shared by all tabs.executeScript({ code })
or scripting.executeScript({ func, args })
calls, which makes it a bit difficult to e.g. set a breakpoint for multiple executeScript
calls: the first script loaded in the devtools, and after that the debugger shows the original source even if the underlying code has changed.
Anyway, in this bug I'm focusing on the scripting.executeScript
+ world MAIN code path. The "sandbox eval code" part is already tracked at bug 1707107.
Updated•1 month ago
|
Assignee | ||
Comment 1•1 month ago
|
||
I considered converting the data to a blob. The plus side is that the immediate content is hidden, the downside is potential extension UUID leakage. Perhaps we can have a random artificial extension UUID?
FYI, here is another bug about transforming the CSS code to a blob: bug 1639478
Assignee | ||
Updated•26 days ago
|
Assignee | ||
Comment 2•17 days ago
|
||
This option enables internal callers to specify a different file name,
which we will rely upon for redacting the extension URL and filenames.
Assignee | ||
Comment 3•17 days ago
|
||
Pushed by rob@robwu.nl: https://hg.mozilla.org/integration/autoland/rev/0b9f2ac8460b Add filename option to ChromeUtils.compileScript r=spidermonkey-reviewers,arai https://hg.mozilla.org/integration/autoland/rev/2780686b010b Redact filename from MAIN world scripts r=willdurand
Comment 5•14 days ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/0b9f2ac8460b
https://hg.mozilla.org/mozilla-central/rev/2780686b010b
Assignee | ||
Comment 6•11 days ago
|
||
This option enables internal callers to specify a different file name,
which we will rely upon for redacting the extension URL and filenames.
Original Revision: https://phabricator.services.mozilla.com/D214295
Updated•11 days ago
|
Assignee | ||
Comment 7•11 days ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D214296
Updated•11 days ago
|
Comment 8•11 days ago
|
||
beta Uplift Approval Request
- User impact if declined: Web pages can detect when extensions execute code using the new world:MAIN option. This includes the source text of the executing script or the script's URL (that includes a UUID that could be used for fingerprinting).
- Code covered by automated testing: yes
- Fix verified in Nightly: yes
- Needs manual QE test: no
- Steps to reproduce for manual QE testing: Manual testing is not needed because the behavior is already fully covered by automated tests.
- Risk associated with taking this patch: Low
- Explanation of risk level: Changes specific part of extension API implementation, fully covered by automated tests. The mechanism to redact file names is mature, and the effects are well understood.
- String changes made/needed: none
- Is Android affected?: yes
Updated•9 days ago
|
Updated•9 days ago
|
Updated•9 days ago
|
https://hg.mozilla.org/releases/mozilla-beta/rev/40686de10d43 https://hg.mozilla.org/releases/mozilla-beta/rev/9b05f7458385
Description
•