Closed Bug 999585 Opened 10 years ago Closed 10 years ago

enable new slaughterhouse APIs even with the unsafe-content-script flag on

Categories

(Add-on SDK Graveyard :: General, defect)

defect
Not set
normal

Tracking

(firefox30+ fixed, firefox31 fixed, firefox32 fixed, b2g-v1.4 fixed)

RESOLVED FIXED
mozilla32
Tracking Status
firefox30 + fixed
firefox31 --- fixed
firefox32 --- fixed
b2g-v1.4 --- fixed

People

(Reporter: zombie, Assigned: gkrizsanits)

References

Details

Attachments

(1 file)

this would enable addon devs to enable the temporary workaround and then test/fix the issues one by one.
This should not be a sec bug imo. And the patch should be as simple as turning the wantExportHelpers flag true in all cases here: http://mxr.mozilla.org/mozilla-central/source/addon-sdk/source/lib/sdk/content/sandbox.js#145 only problem is that the patch should be uplifted to aurora, and then make sure not to overwrite the patch on trunk in the next SDK merges...
> This should not be a sec bug imo. 

yeah probably, Mossop's instructions (without looking into details) was: "if you are unsure, just flag them, easier to unflag if it's not".
Assignee: nobody → gkrizsanits
Attachment #8412515 - Flags: review?(dtownsend+bugmail)
Group: core-security
Attachment #8412515 - Flags: review?(dtownsend+bugmail) → review+
Comment on attachment 8412515 [details] [diff] [review]
wantExportHelpers

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 821809
User impact if declined: Right now the new API is not available when add-on developers explicitly waive the extra security layer between content-script and web content. But there were requests to make those API available, making an incremental migration to the the new setup possible.
Testing completed (on m-c, etc.): on m-c
Risk to taking this patch (and alternatives if risky): I don't see any risk in this patch.
String or IDL/UUID changes made by this patch: none
Attachment #8412515 - Flags: approval-mozilla-aurora?
It's merge day and this isn't on central yet so will track this and we can land it to Beta post-merge.
https://hg.mozilla.org/mozilla-central/rev/e4ff4df25884
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla32
Attachment #8412515 - Flags: approval-mozilla-beta+
Attachment #8412515 - Flags: approval-mozilla-aurora?
Attachment #8412515 - Flags: approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.