Validation should warn/fail when certain built-in style sheets are included in an overlay


Status Graveyard
Add-on Validation
6 years ago
2 years ago


(Reporter: Matthew Turnbull [Bluefang], Unassigned)





6 years ago
I am the developer of Status-4-Evar. I've had multiple reports of extensions breaking S4E because they include chrome://browser/content/browser.css, which stomps on S4E's XBL bindings.

I'd like to suggest that an overlay to _any_ window should not be able to include style sheets already included by the base window. However, I'm not sure that would be possible to do.

I think a good first step would be to have a static list of common overlay targets, and have a style sheet blacklist for each one.

For example, overlays on chrome://browser/content/browser.xul should not be able to include chrome://browser/content/browser.css, chrome://browser/skin/, chrome://browser/skin/browser.css, chrome://global/skin/, or chrome://global/skin/global.css

Some common overlay targets would probably be the Firefox main window, the Thunderbird main and message windows, and the analogs windows in SeaMonkey.

In the case of the SearchMenu extension, I also noticed that a style sheet included in the overlay was importing the global style sheet. So perhaps a second step to this would be to make sure an overlay does not transitively include the blacklisted style sheets.

Comment 1

5 years ago
Jorge: Kris: Any feedback on this?

We already detect overlays linked from chrome.manifest, so it probably wouldn't be hard to implement this. If there was a list of overlays to CSS files (or scripts), that would be very useful.
Ah, interesting. Yeah, it would probably suffice to warn about including a stylesheet from any builtin package in a known overlay. ^chrome://(global|browser|navigator|communicator)/ should be fine.
Priority: -- → P5


2 years ago
Product: → Graveyard
Doesn't appear to be a priority, and we're moving away from add-ons being able to override each other. Feel free to reopen if there's a patch available.
Last Resolved: 2 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.