Closed Bug 1901967 Opened 1 year ago Closed 1 year ago

eval call is not possible in manifest v3

Categories

(WebExtensions :: General, enhancement)

Product:
WebExtensions
Component:
General
Version:
Firefox 125
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: robert, Unassigned)

References

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0

Steps to reproduce:

  • try call eval in background script
  • try call eval in iframe that append to DOM in background script

Actual results:

  • there is no way to call eval in manifest v3, since sandbox feature in manifest is not supported yet, so any eval call are limited by CSP and we cannot to make exception even for sandboxed iframes

Expected results:

It must be possible to run eval call in sandboxed iframe since it is more safe because iframe no have access to a browser API. See my use case in w3c discussion.

With no eval it is pointless to move on manifest v3 on firefox, since an important feature of extension will be not available.

Hello,

Based on what I’ve understood from https://github.com/w3c/webextensions/issues/637 and this report, you are proposing an enhancement as the required feature is not supported yet.

I will mark the report accordingly, however, in case I’m mistaken, do revert the changes. Thank you !

Type: defect → enhancement

This is by design; eval is not permitted in an extension document, and sandboxed moz-extension iframes (or any same-origin iframes on the web in general) inherit the CSP from the parent document, to prevent sandbox escapes.

The only mechanism available to support sandboxed eval in extension APIs is manifest sandbox, which is not supported yet (bug 1685123).

As a work-around, you would have to embed an external website that performs eval on behalf the extension. This dependency on an external website is not ideal, however.

I'm closing this bug because this behavior is intentional within the current APIs; your feature request is covered by bug 1685123.

(In reply to Robert Vitonsky from comment #0)

It must be possible to run eval call in sandboxed iframe since it is more safe because iframe no have access to a browser API. See my use case in w3c discussion.

Note that this is only in Firefox, Chrome offers full access to the extension APIs. See bug 1896824 for relevant context.

Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Resolution: --- → WONTFIX
See Also: → 1896824, 1685123
You need to log in before you can comment on or make changes to this bug.