Open Bug 1767798 Opened 3 years ago Updated 2 years ago

Restrict privileged contexts of manifest v3 WebExtension from loading type SCRIPT via HTTP, HTTPS

Tracking

()

Status:

ASSIGNED

People

(Reporter: freddy, Assigned: freddy)

References

Details

(Whiteboard: [domsecurity-active])

Frederik Braun [:freddy]

Assignee

Description

•

3 years ago

The idea is to block loading scripts via HTTP/HTTPS from privileged extension content (background scripts, background pages, etc.). This would turn some of the policy restrictions for WebExtensions into runtime-enforcement.

It should be possible to create a new set of pre-request restrictions in DoContentSecurityChecks and inspect the Principal's AddonPolicy (and thus manifestVersion).

P.S:We did something quite similar for the SystemPrincipal context (bug 1767395) and are doing the same for privileged about pages (bug 1767581).

Christoph Kerschbaumer [:ckerschb]

Updated

•

3 years ago

Priority: -- → P2

Whiteboard: [domsecurity-active]

Rob Wu [:robwu]

Updated

•

2 years ago

Depends on: 1789751

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Restrict privileged contexts of manifest v3 WebExtension from loading type SCRIPT via HTTP, HTTPS

Categories

(Core :: DOM: Security, task, P2)

Tracking

()

People

(Reporter: freddy, Assigned: freddy)

References

Details

(Whiteboard: [domsecurity-active])

Crash Data

Security

(public)

User Story

Description

Updated

Updated

Restrict privileged contexts of manifest v3 WebExtension from loading type *SCRIPT* via HTTP, HTTPS

Description

Updated

Updated

Restrict privileged contexts of manifest v3 WebExtension from loading type SCRIPT via HTTP, HTTPS