Enable executeScript restriction on extension pages on all channels
Categories
(WebExtensions :: General, task, P2)
Tracking
(Not tracked)
People
(Reporter: rpl, Unassigned)
References
(Depends on 1 open bug)
Details
(Keywords: sec-want, Whiteboard: [addons-jira])
Attachments
(1 file)
|
12.26 KB,
image/png
|
Details |
non dynamic code execution blocked too
As a followup to Bug 2011234, we plan to enable the restriction on all channel as part of the Firefox 152 cycle and let it ride the train (in the meantime the restriction is enabled on Nightly builds by default and a deprecation warning logged in the target extension page when the restriction is being hit).
|
||
Updated•2 months ago
|
|
||
Comment 1•26 days ago
|
||
The bug 2011234 says it's blocking dynamic code execution, but from what I can see, even fixed code execution is blocked.
Is this really intended behavior?
|
||
Comment 2•26 days ago
|
||
(In reply to juraj.masiar from comment #1)
The bug 2011234 says it's blocking dynamic code execution, but from what I can see, even fixed code execution is blocked.
Is this really intended behavior?
Yes, this is intentional. Access control is based on the target of the execution, and we wanted to consistently apply the change to the all methods without exceptions. And unlike tabs.executeScript, we never documented that scripting.executeScript allows execution in extension documents. Here is the relevant diff of the documentation change:
scripting.executeScript(added information only, without deletions): https://github.com/mdn/content/pull/43108/files#diff-4448cf7eb023b27ee11e787fb3ee7463c49ca69d8dc18c64e90ed567dba66839tabs.executeScript(deleted mention of support in extension documents along with adding notes): https://github.com/mdn/content/pull/43108/files#diff-5deb2dfa11563fd0afc3bfcb77db087458086d22e30c9cb34fd7afd2fe326df3
|
|
||
Comment 3•25 days ago
|
||
But why restrict it for the modern scripting namespace at all?
It doesn't allow any dynamic code execution, that was the whole point of MV3.
Being able to use "any" extension API on your own extension tabs is a huge consistency help.
The fact that it wasn't documented is not a good argument as most API doesn't state this, because why should they get a special treatment? It's like updating tabs.setZoom documentation and writing that it works on extensions pages...
I understand the security reasoning in the tabs namespace, but I don't see it helping anyone on already secure scripting namespace.
All I see now is a lot of code I need to change in multiple of my addons :(, and I'm sure it's not just me.
Description
•