Rob Wu
This PR introduces the `--hid-record` and `--hid-replay` flags to support the use case of capturing events and replaying it (#4468). I have designed it such that it can also replay...
*Originally filed at https://github.com/w3c/webappsec-upgrade-insecure-requests/issues/32* UIR (and HSTS) are commonly implemented as an internal redirect from http to https (at least in Firefox and Chrome, AFAIK). This has implications for CORS,...
[examples.json](https://github.com/mdn/webextensions-examples/blob/9433f842d6295db366c399df752332d78a9cc859/examples.json) lists all samples plus relevant extension APIs in `javascript_apis`. But there are several extension APIs with significant functionality in its manifest keys. By significant, I mean not just because...
This repo has an `.eslintrc`, added in #244: https://github.com/mdn/webextensions-examples/blob/main/.eslintrc.json ... but it is stuck in 2017 and it doesn't appear to be enforced (evidenced by the plenty of failures when...
In Firefox, MV3 extensions are not granted host permissions at install time (MDN: [`host_permissions`: Requested permissions and user prompts](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/host_permissions#requested_permissions_and_user_prompts)). This includes patterns in content scripts and `host_permissions`. To avoid developer...
(Extracted out of https://github.com/mozilla/web-ext/pull/2868#pullrequestreview-1651734224 ) `web-ext sign` is expected to return the xpi (or instructions on downloading) when available. In mozilla/addons-server#2859 (where the source code uploading feature was added), it's...
### Describe the problem and steps to reproduce it: While looking into #4645, I noticed that the underlying issue is that one cannot make any assumptions on `this.parsedJSON`, other than...
The `CSP_MANIFEST` warning is emitted when a CSP is insecure. Its [message is defined](https://github.com/mozilla/addons-linter/blob/13cf0c7180ed2675d1c77099d74cc62d8f68bc20/src/messages/manifestjson.js#L192-L202) to be "content_security_policy allows remote code execution in manifest.json" (or "content_security_policy.extension_pages allows remote code execution in...
I created a new pull request at #4573, but CircleCI failed to trigger a build at first. I think that I fixed it, but there may still be an issue...
The current documentation of content signature verification and add-on certificate verification is inaccurate. This PR fixes a few inaccuracies. References: - https://bugzilla.mozilla.org/show_bug.cgi?id=1846866 ignores pref - https://bugzilla.mozilla.org/show_bug.cgi?id=1267318 ignores notAfter - https://bugzilla.mozilla.org/show_bug.cgi?id=1713628...