Bug 1396172 - Add support for WebExtensions: Part 1: Content Policy. r=jorgk
authorPhilipp Kewisch <mozilla@kewis.ch>
Sun, 19 Mar 2017 20:54:22 +0100
changeset 29183 c91a3bb11073b23afbc95eadbcc7315eda68783d
parent 29182 4e295e35945bdda7ecc14324605514c5f5f32216
child 29184 cd77c19988de02bb45aaee2f568f62ce357c9d5e
push id2068
push userclokep@gmail.com
push dateMon, 13 Nov 2017 19:02:14 +0000
treeherdercomm-beta@9c7e7ce8672b [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjorgk
bugs1396172
Bug 1396172 - Add support for WebExtensions: Part 1: Content Policy. r=jorgk MozReview-Commit-ID: txkLk9jxr4
mail/app/profile/all-thunderbird.js
mailnews/base/src/nsMsgContentPolicy.cpp
--- a/mail/app/profile/all-thunderbird.js
+++ b/mail/app/profile/all-thunderbird.js
@@ -158,16 +158,21 @@ pref("extensions.hotfix.certs.2.sha1Fing
 // Disable add-ons installed into the shared user and shared system areas by
 // default. This does not include the application directory. See the SCOPE
 // constants in AddonManager.jsm for values to use here
 pref("extensions.autoDisableScopes", 15);
 
 // Enable add-ons installed and owned by the application, like the default theme.
 pref("extensions.startupScanScopes", 4);
 
+// Add-on content security policies.
+pref("extensions.webextensions.base-content-security-policy", "script-src 'self' https://* moz-extension: blob: filesystem: 'unsafe-eval' 'unsafe-inline'; object-src 'self' https://* moz-extension: blob: filesystem:;");
+pref("extensions.webextensions.default-content-security-policy", "script-src 'self'; object-src 'self';");
+
+
 // Allow "legacy" XUL/XPCOM extensions.
 pref("extensions.legacy.enabled", true);
 
 // Preferences for AMO integration
 pref("extensions.getAddons.cache.enabled", true);
 pref("extensions.getAddons.maxResults", 15);
 pref("extensions.getAddons.get.url", "https://services.addons.mozilla.org/%LOCALE%/%APP%/api/%API_VERSION%/search/guid:%IDS%?src=thunderbird&appOS=%OS%&appVersion=%VERSION%");
 pref("extensions.getAddons.getWithPerformance.url", "https://services.addons.mozilla.org/%LOCALE%/%APP%/api/%API_VERSION%/search/guid:%IDS%?src=thunderbird&appOS=%OS%&appVersion=%VERSION%&tMain=%TIME_MAIN%&tFirstPaint=%TIME_FIRST_PAINT%&tSessionRestored=%TIME_SESSION_RESTORED%");
--- a/mailnews/base/src/nsMsgContentPolicy.cpp
+++ b/mailnews/base/src/nsMsgContentPolicy.cpp
@@ -442,24 +442,27 @@ nsMsgContentPolicy::IsExposedProtocol(ns
 
   // check if customized exposed scheme
   if (mCustomExposedProtocols.Contains(contentScheme))
     return true;
 
   bool isData;
   bool isChrome;
   bool isRes;
+  bool isMozExtension;
   rv = aContentLocation->SchemeIs("chrome", &isChrome);
   NS_ENSURE_SUCCESS(rv, false);
   rv = aContentLocation->SchemeIs("resource", &isRes);
   NS_ENSURE_SUCCESS(rv, false);
   rv = aContentLocation->SchemeIs("data", &isData);
   NS_ENSURE_SUCCESS(rv, false);
+  rv = aContentLocation->SchemeIs("moz-extension", &isMozExtension);
+  NS_ENSURE_SUCCESS(rv, false);
 
-  return isChrome || isRes || isData;
+  return isChrome || isRes || isData || isMozExtension;
 }
 
 /**
  * We block most unexposed protocols - apart from http(s) and file.
  */
 bool
 nsMsgContentPolicy::ShouldBlockUnexposedProtocol(nsIURI *aContentLocation)
 {