Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

verify upcoming CSP/Manifest v3 changes #270

Open
balmas opened this issue Dec 17, 2019 · 4 comments
Open

verify upcoming CSP/Manifest v3 changes #270

balmas opened this issue Dec 17, 2019 · 4 comments
Assignees
Labels

Comments

@balmas
Copy link
Member

balmas commented Dec 17, 2019

See https://blog.mozilla.org/addons/2019/12/12/test-the-new-csp-for-content-scripts/?utm_source=newsletter&utm_medium=email&utm_campaign=2019-dec-about-addons

@kirlat i'm assigning this to you because I'm a little worried about the upcoming restriction on remotely hosted code and how that does or doesn't impact the architecture for the cedict service. It would be good to know asap if it will be impacted by this upcoming change.

@balmas
Copy link
Member Author

balmas commented Dec 17, 2019

@kirlat
Copy link
Member

kirlat commented Dec 18, 2019

Thanks for the links, that's very interesting, I will study it.

@kirlat
Copy link
Member

kirlat commented Dec 18, 2019

I need to study it more but it seems the changes related to remote code execution are:

Are you currently using chrome.tabs.executeScript({code: '...'}), eval(), or new Function() in background contexts or content scripts?
Move all external code (JS, Wasm, CSS) into your extension bundle.
Update script and style references to load resources from the extension bundle.
Use chrome.runtime.getURL() to build resource URLs at runtime.

If that's so, we're not affected because that's not what we're doing. For CEDICT to be working we need to be able to do two things:

  • Content script (components that is) needs to create an iframe that will load a document from the Alpheios server
  • Content scripts needs to be able to send a message (using window.postMessage) to the iframe and send a response back

With our iframe model we do not execute any code, we're just sending a message. Moreover, the iframe is inserted into a page and thus is outside of the content script realm and thus it shall not be a subject of content script restrictions. So we may be good, to the best of my understanding, but I will try to test it ASAP.

@balmas
Copy link
Member Author

balmas commented Dec 18, 2019

ok, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants