Removal of support for the object-src directive #21190
Conversation
rebloor
requested review from
willdurand and
bsmth
and removed request for
a team
github-actions
bot
added
the
Content:Other
|
|
||
| > **Note:** The examples below include the {{CSP("script-src")}} directive because this was required in older browser versions. This directive is optional in modern browsers without obsolete [plugins](/en-US/docs/Glossary/Plugin) ([more information](https://github.com/w3c/webextensions/issues/204)). | ||
| > **Note:** The examples include the {{CSP("script-src")}} directive, which was required in older browser versions. This directive is optional in modern browsers without obsolete [plugins](/en-US/docs/Glossary/Plugin). See W3C Web Extensions issue [204](https://github.com/w3c/webextensions/issues/204), Remove object-src from the CSP (at least in MV3), for more information. |
There was a problem hiding this comment.
| > **Note:** The examples include the {{CSP("script-src")}} directive, which was required in older browser versions. This directive is optional in modern browsers without obsolete [plugins](/en-US/docs/Glossary/Plugin). See W3C Web Extensions issue [204](https://github.com/w3c/webextensions/issues/204), Remove object-src from the CSP (at least in MV3), for more information. | |
| > **Note:** The examples include the {{CSP("script-src")}} directive, which was required in older browser versions. This directive is optional in modern browsers without obsolete [plugins](/en-US/docs/Glossary/Plugin). See W3C Web Extensions Community Group issue [204](https://github.com/w3c/webextensions/issues/204), Remove object-src from the CSP (at least in MV3), for more information. |
(maybe)
There was a problem hiding this comment.
+1 to what Will said. Also move the "issue" text before the number into the link, [issue 204](....)
There was a problem hiding this comment.
Done, also on checking I noticed that webextensions doesn't have a space in it in the group name.
| @@ -52,6 +52,8 @@ This article provides information about the changes in Firefox 106 that will aff | |||
|
|
|||
| ## Changes for add-on developers | |||
|
|
|||
| - The `object-src` directive in the `"content-security-policy"` manifest key is now optional in Manifest V3. This is because the `object-src` directive is only required for browsers with obsolete [plugins](/en-US/docs/Glossary/Plugin), and browsers enabling Manifest V3 don't contain such plugins. See W3C Web Extensions issue [204](https://github.com/w3c/webextensions/issues/204), Remove object-src from the CSP (at least in MV3), for more information. ({{bug(1766881)}}) | |||
There was a problem hiding this comment.
| - The `object-src` directive in the `"content-security-policy"` manifest key is now optional in Manifest V3. This is because the `object-src` directive is only required for browsers with obsolete [plugins](/en-US/docs/Glossary/Plugin), and browsers enabling Manifest V3 don't contain such plugins. See W3C Web Extensions issue [204](https://github.com/w3c/webextensions/issues/204), Remove object-src from the CSP (at least in MV3), for more information. ({{bug(1766881)}}) | |
| - The `object-src` directive in the `"content-security-policy"` manifest key is now optional in Manifest V3. This is because the `object-src` directive is only required for browsers with obsolete [plugins](/en-US/docs/Glossary/Plugin), and browsers enabling Manifest V3 don't contain such plugins. See W3C Web Extensions Community Group issue [204](https://github.com/w3c/webextensions/issues/204), Remove object-src from the CSP (at least in MV3), for more information. ({{bug(1766881)}}) |
| @@ -113,14 +113,14 @@ In Manifest V3, the `content_security_policy` key is an object that may have any | |||
| </tbody> | |||
| </table> | |||
|
|
|||
| ## Example | |||
There was a problem hiding this comment.
Renaming a heading may break existing links, because the link is generated from the header content. If not absolutely necessary, I try to avoid header changes after publication.
If it's worth making the change, we should double-check that there are no references to the old header (at least on MDN, but also the extension workshop).
In this case I think that it's fine to proceed with the change, but I am noting this to emphasize the consideration that I made in evaluating this change.
There was a problem hiding this comment.
Good point, I did check. I couldn't find any links to this heading, and they are only three cross-reference links to example/examples headings in the add-ons content!
|
|
||
| > **Note:** The examples below include the {{CSP("script-src")}} directive because this was required in older browser versions. This directive is optional in modern browsers without obsolete [plugins](/en-US/docs/Glossary/Plugin) ([more information](https://github.com/w3c/webextensions/issues/204)). | ||
| > **Note:** The examples include the {{CSP("script-src")}} directive, which was required in older browser versions. This directive is optional in modern browsers without obsolete [plugins](/en-US/docs/Glossary/Plugin). See W3C Web Extensions issue [204](https://github.com/w3c/webextensions/issues/204), Remove object-src from the CSP (at least in MV3), for more information. |
There was a problem hiding this comment.
+1 to what Will said. Also move the "issue" text before the number into the link, [issue 204](....)
|
|
||
| ```json example-bad | ||
| "content_security_policy": "script-src 'self' https://*.jquery.com;" | ||
| ``` | ||
|
|
||
| However, this is only invalid in browsers that support obsolete [plugins](/en-US/docs/Glossary/Plugin). See W3C Web Extensions issue [204](https://github.com/w3c/webextensions/issues/204), Remove object-src from the CSP (at least in MV3), for more information. |
There was a problem hiding this comment.
Similarly to the other instance, add "CG" before "issue" and put "issue" within the brackets.
| @@ -52,6 +52,8 @@ This article provides information about the changes in Firefox 106 that will aff | |||
|
|
|||
| ## Changes for add-on developers | |||
|
|
|||
| - The `object-src` directive in the `"content-security-policy"` manifest key is now optional in Manifest V3. This is because the `object-src` directive is only required for browsers with obsolete [plugins](/en-US/docs/Glossary/Plugin), and browsers enabling Manifest V3 don't contain such plugins. See W3C Web Extensions issue [204](https://github.com/w3c/webextensions/issues/204), Remove object-src from the CSP (at least in MV3), for more information. ({{bug(1766881)}}) | |||
There was a problem hiding this comment.
| - The `object-src` directive in the `"content-security-policy"` manifest key is now optional in Manifest V3. This is because the `object-src` directive is only required for browsers with obsolete [plugins](/en-US/docs/Glossary/Plugin), and browsers enabling Manifest V3 don't contain such plugins. See W3C Web Extensions issue [204](https://github.com/w3c/webextensions/issues/204), Remove object-src from the CSP (at least in MV3), for more information. ({{bug(1766881)}}) | |
| - The `object-src` directive in the `"content-security-policy"` manifest key is now optional. This only existed to restrict obsolete [plugins](/en-US/docs/Glossary/Plugin), whose support has been dropped a long time ago from Firefox. See W3C Web Extensions CG [issue 204](https://github.com/w3c/webextensions/issues/204), Remove object-src from the CSP (at least in MV3), for more information. ({{bug(1766881)}}) |
The change is not MV3-specific. In the documentation, I mentioned the potential need for keeping it in MV2 in case an extension dev wants to be backwards-compatible with older versions. MV3 is already backwards incompatible, so the concern does not apply there.
The reference to the WECG has been repeated 4 times. It may make sense to create one subsection that explains the background (feel free to use information from the WECG issue) and then refer to that from the docs and changelog.
There was a problem hiding this comment.
With regard to the repetition of the WECG reference, given that we're talking about something that is no longer required, adding a specific section seems unnecessary. On the content–security-policy page, maybe we could remove the second two references and just keep the first one?
There was a problem hiding this comment.
It's no longer required in Firefox nor Firefox.
However, it has been required for a many years in Firefox, and continued to be required in Chrome if one wants to customize the CSP. Documentation and examples will most likely include object-src, so some documentation of the history and an explicit statement that it's not required would be nice.
FYI:
- This only affects extensions that want to customize the CSP in the manifest file.
- In older Firefox, if it wasn't specified, the whole policy was ignored and the default CSP would be applied instead. The bad thing about this if the extension had specified a more stricter CSP in other parts (e.g. default-src, frame-src, etc), that it would be ignored.
- In Chrome, if it's missing or deemed insecure, the object-src directive is replaced with the default (
object-src 'self'), and a warning message is logged. Now that I'm writing this out, this behavior doesn't sound too bad. - In Safari there is no object-src requirement. IIRC this defaults to 'self'.
There was a problem hiding this comment.
@Rob--W I've now created a separate section to deal with object-src, please take a look and let me know if this is good to go.
|
Preview URLs
External URLs (3)URL:
(this comment was updated 2022-10-03 22:07:51.614676) |
| @@ -52,6 +52,8 @@ This article provides information about the changes in Firefox 106 that will aff | |||
|
|
|||
| ## Changes for add-on developers | |||
|
|
|||
| - The `object-src` directive in the `"content-security-policy"` manifest key is now optional. The `object-src` directive was designed to restrict obsolete [plugins](/en-US/docs/Glossary/Plugin), and support for these plugins was dropped from Firefox some time ago. See W3C WebExtensions Community Group [issue 204](https://github.com/w3c/webextensions/issues/204), Remove object-src from the CSP (at least in MV3), for more information. ({{bug(1766881)}}) | |||
There was a problem hiding this comment.
Could you simplify this and refer to your new section?
|
|
||
| - The {{CSP("script-src")}} directive must include at least the `'self'` keyword, and may only contain secure sources. The set of permitted secure sources differ between Manifest V2 and Manifest V3. | ||
| - The policy may include just {{CSP("default-src")}} (without {{CSP("script-src")}}) if its sources meet the requirement for the {{CSP("script-src")}} directive. | ||
| - The {{CSP("object-src")}} keyword may be required in some browsers that support obsolete [plugins](/en-US/docs/Glossary/Plugin). If required, it should be set to a secure source such as `'none'`. This may be required for browsers up until 2022 ([more information](https://github.com/w3c/webextensions/issues/204)). |
There was a problem hiding this comment.
Could you keep/shorten the bullet point instead of removing it? It's part of the bullet list (connected to the previous point), which is supposed to be a complete list.
Do refer to the new section.
|
Thanks @Rob--W I've made the changes you requested will merge. |
Description
Adds a released note to provide documentation for Bug 1766881 Remove object-src requirement from the extension CSP, at least in MV3. Also includes some miscellaneous edits to the content–security-policy manifest key page.
Related issues and pull requests
Browser compatibility data PR: mdn/browser-compat-data#17901