If the sidebar window or a service window has a location in a different origin than the social worker, then the mozSocial API (either entirely, or at least getWorker()) should not work from the window. The risk is that the worker code "trusts" the other side of a port (and indeed can't check the origin of the port even if it wanted to) and thus may give up "secrets" to this other origin. This should happen regardless of whether the URL being from a different origin is intentional or unintentional. FWIW, bug 764241 is discussing whether to allow this to happen intentionally, but regardless of the outcome of that discussion, this extra check should be added as a "defense in depth" technique.
same-origin restriction added https://github.com/mozilla/socialapi-dev/commit/31ace0ace39797ff445666832fe1c0c923fabee6 note, somehow another changed to support username in the menu leaked in, though git diff didn't show that before :/
Is there anything I can do to test this? Does this have any tests?
Again, this is out-of-date, but we do have tests for the same-origin restrictions we currently impose.
Flagging [qa-] as there's nothing to verify.