[meta] Add permission to allow extensions to load semi-privileged URLs
Categories
(WebExtensions :: Frontend, task, P3)
Tracking
(Not tracked)
People
(Reporter: abr, Unassigned)
References
(Depends on 2 open bugs, Blocks 8 open bugs)
Details
(Keywords: meta, Whiteboard: [design-decision-approved] triaged[tabs])
Reporter | ||
Comment 1•9 years ago
|
||
Comment 2•9 years ago
|
||
Updated•9 years ago
|
Comment 3•9 years ago
|
||
Updated•9 years ago
|
Comment 4•9 years ago
|
||
Reporter | ||
Comment 5•9 years ago
|
||
Comment 6•8 years ago
|
||
Comment 7•8 years ago
|
||
Updated•8 years ago
|
Updated•8 years ago
|
Comment 11•7 years ago
|
||
Comment 12•7 years ago
|
||
Comment 13•7 years ago
|
||
Comment 14•7 years ago
|
||
Comment 17•7 years ago
|
||
Comment 18•7 years ago
|
||
Comment 19•7 years ago
|
||
Comment 20•7 years ago
|
||
Comment 21•7 years ago
|
||
Comment 22•7 years ago
|
||
Comment 23•7 years ago
|
||
Comment 24•7 years ago
|
||
Comment 25•7 years ago
|
||
Reporter | ||
Comment 26•7 years ago
|
||
Comment 27•7 years ago
|
||
Comment 28•7 years ago
|
||
Comment 29•7 years ago
|
||
Comment 30•7 years ago
|
||
Comment 31•7 years ago
|
||
Reporter | ||
Comment 32•7 years ago
|
||
Comment 33•7 years ago
|
||
Comment 35•7 years ago
|
||
Comment 36•7 years ago
|
||
Comment 37•7 years ago
|
||
Comment 38•7 years ago
|
||
Comment 40•7 years ago
|
||
Comment 41•7 years ago
|
||
Comment 42•7 years ago
|
||
Comment 44•7 years ago
|
||
Comment 45•7 years ago
|
||
Updated•7 years ago
|
Comment 46•7 years ago
|
||
Comment 47•7 years ago
|
||
Comment 48•7 years ago
|
||
Updated•7 years ago
|
Comment 50•7 years ago
|
||
Comment 51•7 years ago
|
||
Comment 52•7 years ago
|
||
Comment 53•7 years ago
|
||
Comment 54•7 years ago
|
||
Updated•7 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Comment 56•5 years ago
|
||
This bug has a lot of comments, but I've tried to digest them in a way that would allow me to come to a decision on this. If I understood correctly, the main ask for this bug is to make it possible for browser.tabs.create() and .update() to open tabs, or update the URL of tabs to point to about: pages. There were some concerns about parameters on about pages, that it is possible that our code would consider the content of these parameters as safe.
What I feel we should do is allow creating/updating tabs of about: pages, using a whitelist for specific pages we'd want to allow. The whitelist should be guided by pages where we feel there is a reasonable use case for opening that page. A few requirements:
- The fact that users may type an about page in a imitated URL bar is great for those specific add-ons, but is not something that should drive the decision on which URLs to allow. If that were the case, we'd essentially have to allow all of them, which I don't think is feasible.
- The whitelist should not include pages mainly appealing to power users. I would not want an add-on to open about:config, as it could be used as a mechanism to trick unknowing users into changing security-related preferences.
- Add-ons must not be able to interact with the pages, as it was before. If possible we might also want to avoid allowing these pages to be framed.
- Pages we whitelist should get a comment in their implementation code, noting that the page can be opened by an extension. This way Firefox developers are more sensitive to how the pages are opened.
- Query parameters should be disallowed generally, though if there is a compelling use case we might want to allow them on specific pages.
To me this is not an immediate priority, if the dependent fixes serve further purposes I think that would increase the likelihood of this being implemented.
Updated•5 years ago
|
Comment 57•4 years ago
|
||
Is there something I (or somebody else) could do to make this progress in any way?
Does this additionally include "moz-extension:" URIs, rather than solely "about:"?
(I ask because I am searching for an issue raised via Bugzillaz that asks for support for extensions to be able to access other extensions' created pages so that "http://github.com/FilipePS/Traduzir-paginas-web/issues/457#issue-1338030996" might at least be eventually possible to remediate. Thanks.)
Reporter | ||
Comment 59•2 years ago
|
||
(In reply to BEEDELLROKEJULIANLOCKHART from comment #58)
Does this additionally include "moz-extension:" URIs, rather than solely "about:"?
(I ask because I am searching for an issue raised via Bugzillaz that asks for support for extensions to be able to access other extensions' created pages so that "http://github.com/FilipePS/Traduzir-paginas-web/issues/457#issue-1338030996" might at least be eventually possible to remediate. Thanks.)
Responding mostly to clear the needinfo, not because I have any real knowledge here (I left Mozilla's employ two years ago).
Given that there has been no real action to make this happen over the past six years, the question of what the non-work hasn't covered seems intensely academic. If someone actually gets around to fixing this pain point for add-on developers, the set of schemes is certainly something they'll want to consider. You may wish to expand on use cases (here or in the bug you cite) to inform an eventual decision on this point. On the other hand, given that no motion has taken place in this entire time period, I would not hold my breath on progress being made.
Updated•2 years ago
|
Description
•