Bug 1254194: [webext] Allow extensions to register custom content security...

// See the SCOPE constants in AddonManager.jsm for values to use here.

pref("extensions.autoDisableScopes", 15);

// Add-on content security policies.

pref("extensions.webextensions.base-content-security-policy", "script-src 'self' https://* moz-extension: blob: filesystem: 'unsafe-eval' 'unsafe-inline'; object-src 'self' https://* moz-extension: blob: filesystem:;");

pref("extensions.webextensions.default-content-security-policy", "script-src 'self'; object-src 'self';");

// Require signed add-ons by default

pref("xpinstall.signatures.required", true);

pref("xpinstall.signatures.devInfoURL", "https://wiki.mozilla.org/Addons/Extension_Signing");

[scriptable,uuid(8a034ef9-9d14-4c5d-8319-06c1ab574baa)]

interface nsIAddonPolicyService : nsISupports

{

  /**

   * Returns the base content security policy, which is applied to all

   * extension documents, in addition to any custom policies.

   */

  readonly attribute AString baseCSP;

  /**

   * Returns the default content security policy which applies to extension

   * documents which do not specify any custom policies.

   */

  readonly attribute AString defaultCSP;

  /**

   * Returns the content security policy which applies to documents belonging

   * to the extension with the given ID. This may be either a custom policy,

   * if one was supplied, or the default policy if one was not.

   */

  AString getAddonCSP(in AString aAddonId);

  /**

   * Returns true if unprivileged code associated with the given addon may load

   * data from |aURI|.

/* Don't let XPIProvider install distribution add-ons; we do our own thing on mobile. */

pref("extensions.installDistroAddons", false);

// Add-on content security policies.

pref("extensions.webextensions.base-content-security-policy", "script-src 'self' https://* moz-extension: blob: filesystem: 'unsafe-eval' 'unsafe-inline'; object-src 'self' https://* moz-extension: blob: filesystem:;");

pref("extensions.webextensions.default-content-security-policy", "script-src 'self'; object-src 'self';");

/* block popups by default, and notify the user about blocked popups */

pref("dom.disable_open_during_load", true);

pref("privacy.popups.showBrowserMessage", true);

  }),

  startup() {

    try {

    let started = false;

    return this.readManifest().then(() => {

      ExtensionManagement.startupExtension(this.uuid, this.addonData.resourceURI, this);

    } catch (e) {

      return Promise.reject(e);

    }

      started = true;

    return this.readManifest().then(() => {

      if (!this.hasShutdown) {

        return this.initLocale();

      }

      dump(`Extension error: ${e.message} ${e.filename || e.fileName}:${e.lineNumber} :: ${e.stack || new Error().stack}\n`);

      Cu.reportError(e);

      if (started) {

        ExtensionManagement.shutdownExtension(this.uuid);

      }

      this.cleanupGeneratedFile();

    this.uuidMap.set(uuid, extension);

    this.aps.setAddonLoadURICallback(extension.id, this.checkAddonMayLoad.bind(this, extension));

    this.aps.setAddonLocalizeCallback(extension.id, extension.localize.bind(extension));

    this.aps.setAddonCSP(extension.id, extension.manifest.content_security_policy);

  },

  // Called when an extension is unloaded.

    this.uuidMap.delete(uuid);

    this.aps.setAddonLoadURICallback(extension.id, null);

    this.aps.setAddonLocalizeCallback(extension.id, null);

    this.aps.setAddonCSP(extension.id, null);

    let handler = Services.io.getProtocolHandler("moz-extension");

    handler.QueryInterface(Ci.nsISubstitutingProtocolHandler);