-
Notifications
You must be signed in to change notification settings - Fork 22.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
upgrade-insecure-requests added to default MV3 CSP #23114
Conversation
Preview URLs
Flaws (2)Note! 1 document with no flaws that don't need to be listed. 🎉 URL:
External URLs (1)URL:
(comment last updated: 2023-01-04 03:23:17) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Understandably, this PR is heavily focused on the mechanical aspects of the updated (default) CSP directive. For context, I'd like to emphasize that CSP is merely an implementation detail to achieve the goal of defaulting to secure requests. The documentation is technically accurate, but possibly not easy to find for those who are looking for a way to make network requests.
The feedback below is feedback on the documentation as written; I'd like to see a follow-up that links the information from a more obvious place.
Performing network requests is a very common need in browser extensions, but we don't have any page like that at all. For the lack of anything better, we currently bury some permission requirements under https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/host_permissions (and for MV2, https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions). These pages along with the new CSP section should be linked from the tutorial that explains how to perform a network request. MDN already has documentation on fetch (https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch), so we only need to explain the relevance of extension-specific details: host permissions, the default CSP (this PR), and that this mostly applies to cross-origin requests from extension contexts (and not content script contexts, which at least in MV3 do not have elevated cross-origin permissions). Here is a dated example of Chrome's documentation (using XMLHttpRequest
, which is the ancient predecessor to fetch
): https://developer.chrome.com/docs/extensions/mv3/xhr/
files/en-us/mozilla/add-ons/webextensions/content_security_policy/index.md
Outdated
Show resolved
Hide resolved
files/en-us/mozilla/add-ons/webextensions/content_security_policy/index.md
Outdated
Show resolved
Hide resolved
Co-authored-by: Rob Wu <[email protected]>
This pull request has merge conflicts that must be resolved before it can be merged. |
files/en-us/mozilla/add-ons/webextensions/content_security_policy/index.md
Outdated
Show resolved
Hide resolved
@@ -59,6 +59,7 @@ This article provides information about the changes in Firefox 109 that will aff | |||
## Changes for add-on developers | |||
|
|||
- Manifest V3 is now supported with the ability to sign and release Manifest V3 extensions on AMO. See the [Manifest v3 signing available November 21 on Firefox Nightly](https://blog.mozilla.org/addons/2022/11/17/manifest-v3-signing-available-november-21-on-firefox-nightly/) blog post for more information. | |||
- The default [Content Security Policy (CSP)](/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy) for Manifest V3 extensions has been updated to include `upgrade-insecure-requests`. This means that, by default, all network requests are upgraded to use `https:`. Extensions that need to use `http:` can do so by overriding the default CSP using the [`content_security_policy`](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy) manifest.json key ({{bug(1797086)}}). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please fit the link to #upgrade_insecure_network_requests_in_manifest_v3
in this section.
@Rob--W are you happy if I raise a new issue for the new page requested in the paragraph "Performing network requests is a very common need in browser extensions, but we don't have any page like that at all."? |
Yes, thanks! |
Description
Adds information to the CSP page and release notes about the addition of
upgrade-insecure-requests
to the default MV3 CSP.Related issues and pull requests
Document a change made in Bug 1797086 Use https by default in requests from extensions, e.g. via extension CSP.