Closed Bug 1961490 Opened 4 months ago Closed 3 months ago

Web Extensions with No Icons in the Manifest Are Getting Content-Security-Policy (img-src) Error

Categories

(Thunderbird :: Add-Ons: General, defect)

Product:
Thunderbird
Component:
Add-Ons: General
Version:
Thunderbird 137
Type:
defect

Tracking

(thunderbird140 fixed)

Status:
RESOLVED FIXED
Milestone:
140 Branch
Tracking Flags:
Tracking Status
thunderbird140 --- fixed

People

(Reporter: WoofGrrrr, Assigned: TbSync)

References

Details

Attachments

(1 file)

Bug 1961490 - Fix CSP for add-on install panel. r=#thunderbird-reviewers
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0

Steps to reproduce:

I recently switched from ESR to Release Channel

I am using a Web Extension - userChromeJS

Actual results:

When I install it, I see this is the Console.

Content-Security-Policy: The page’s settings blocked the loading of a resource (img-src) at https://addons.thunderbird.net/static/img/addon-icons/default-32.png because it violates the following directive: “img-src chrome: data: moz-icon:” GlobalPopupNotifications.sys.mjs:1035:18

I tried adding this to the manifest, but it didn't help:

` "content_security_policy": "img-src https://addons.thunderbird.net;",

Expected results:

Maybe Thunderbird should set its default Content Security Policy so that the icons that it, itself uses are allowed?

Summary: Web Extensions with No Icons in the Manifest Are Getting Content-Security-Policy Error → Web Extensions with No Icons in the Manifest Are Getting Content-Security-Policy (img-src) Error

For the record: userChromeJs is an Experiment which hacks the UI of Thunderbird. None of what it does is officially supported. Apparently, new platform wide CSP requirements protect the UI from being injected with remote content. I am not an expert in this area.

After more research: This is independent of the mentioned add-on (which led me down the wrong path). The chrome popup which informs the user of a successfully installed add-on has not yet access to the local icon data from the XPI, but uses the icon from ATN. The default CSP set by the platform does not allow that.

Edit: The popup does have access to the local XPI data, but if the add-on manifest does not have an icon, it checks if there is one defined on ATN and tries to use that (which could also be the "default"). If an add-on is used which does not exist on ATN (just change its ID to some random value), the error does not occur.

The add-on cannot fix that. This must be fixed in the popup. We shoud also fix the "Argument 1 is not an object", while we are working in that area.

Status: UNCONFIRMED → NEW
Ever confirmed: true
Component: Untriaged → Add-Ons: General

The notification panel shown after a completed add-on install needs to
download an icon from ATN sometimes. This patch updates the CSP accordingly.

A test case which throws an error and does not display the icon without
this patch is the following add-on:

https://addons.thunderbird.net/addon/openai-proofreader

STR:

  • download the add-on's XPI file
  • open Thunderbird's add-on manager
  • click on the gear icon and select "install from file"
  • select the downloaded XPI file
  • click "Add" on the first notification shown
  • the second notification will throw the error, not showing an icon
Assignee: nobody → john
Status: NEW → ASSIGNED
See Also: → 1966171
Keywords: checkin-needed-tb
Target Milestone: --- → 140 Branch

Pushed by corey@thunderbird.net:
https://hg.mozilla.org/comm-central/rev/115935e6e7f7
Fix CSP for add-on install panel. r=mkmelin

Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Keywords: checkin-needed-tb
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: