Bug 1917000 - Stop injecting after "userScripts" revocation r=zombie

Differential Revision: https://phabricator.services.mozilla.com/D229715
2024-11-26 22:32:46 +00:00 · 2024-11-22 16:03:11 +00:00 · 2024-11-22 16:03:11 +00:00 · ea38eaf128
commit ea38eaf128
parent ce07cca0f1
3 changed files with 27 additions and 0 deletions
--- a/toolkit/components/extensions/WebExtensionPolicy.cpp
+++ b/toolkit/components/extensions/WebExtensionPolicy.cpp
@ -825,6 +825,12 @@ bool MozDocumentMatcher::Matches(const DocInfo& aDoc,
    return false;
  }

+  if (mIsUserScript && mExtension &&
+      !mExtension->HasPermission(nsGkAtoms::userScripts)) {
+    // The "userScripts" permission can be revoked after script registration.
+    return false;
+  }
+
  // Top-level about:blank is a special case. Unlike about:blank frames/windows
  // opened by web pages, these do not have an origin that could be matched by
  // a match pattern (they have a null principal instead). To allow extensions
--- a/toolkit/components/extensions/test/xpcshell/test_ext_userScripts_mv3_injection.js
+++ b/toolkit/components/extensions/test/xpcshell/test_ext_userScripts_mv3_injection.js
@ -53,6 +53,12 @@ add_task(async function userScript_runs_in_MAIN_world() {
      "6.file.js": "resultCollector.push('6.file');dump('6.file.js ran\\n');",
    },
    async background() {
+      browser.test.onMessage.addListener(async msg => {
+        browser.test.assertEq("revoke_permission", msg, "Expected msg");
+        await browser.permissions.remove({ permissions: ["userScripts"] });
+        browser.test.assertEq(undefined, browser.userScripts, "API gone");
+        browser.test.sendMessage("revoke_permission:done");
+      });
      await browser.userScripts.register([
        {
          id: "basic",
@ -97,6 +103,20 @@ add_task(async function userScript_runs_in_MAIN_world() {
  await contentPageAfterRegister.close();
  await contentPageBeforeExtStarted.close();

+  // Verify that when the "userScripts" permission is revoked, that scripts
+  // won't be injected in new documents.
+  extension.sendMessage("revoke_permission");
+  await extension.awaitMessage("revoke_permission:done");
+  let contentPageAfterRevoke = await ExtensionTestUtils.loadContentPage(
+    "http://example.com/resultCollector"
+  );
+  Assert.deepEqual(
+    await collectResults(contentPageAfterRevoke),
+    [],
+    "Should not execute after permission revocation"
+  );
+  await contentPageAfterRevoke.close();
+
  await extension.unload();
 });

--- a/xpcom/ds/StaticAtoms.py
+++ b/xpcom/ds/StaticAtoms.py
@ -2034,6 +2034,7 @@ STATIC_ATOMS = [
    Atom("privateBrowsingAllowedPermission", "internal:privateBrowsingAllowed"),
    Atom("svgContextPropertiesAllowedPermission", "internal:svgContextPropertiesAllowed"),
    Atom("theme", "theme"),
+    Atom("userScripts", "userScripts"),
    # CSS Counter Styles
    Atom("decimal_leading_zero", "decimal-leading-zero"),
    Atom("arabic_indic", "arabic-indic"),