Exposing SSLStatus to WebExtensions (and possibly extending it)

Hello everybody,

In https://bugzilla.mozilla.org/show_bug.cgi?id=3D1322748#c4 David Keeler=

suggested to bring this issue up in a public forum in order to decide
how and how much to expose of the nsISSLStatus interface and its
dependencies to WebExtensions, considering that many Firefox add-ons use
it either to provide enhanced security UIs  or to enforce stricter
security policies tailored on specific use cases.

Additionally, exposing also ECDHE/DHE parameters has been asked for the
same reasons ( https://bugzilla.mozilla.org/show_bug.cgi?id=3D1312195 ).

The most natural place to provide WebExtensions with this data is, IMHO,
in webRequest.onBeforeSendHeaders or in an ad-hoc event (onConnect?)
which needs anyway to be called before any HTTPS payload is actually
exchanged on the wire.

Personally (i.e. for the purposes of the Tails Download and Verify
Extension which I maintain) I would be fine with a thin wrapper over
nsISSLStatus and nsIX509Cert, but platform developers, security guys and
other add-ons authors likely have different but hopefully reconcilable
views on this matter, therefore I'm cross-posting to dev-platform,
dev-security and dev-addons hoping for the best outcome.


Giorgio Maone

1/26/2017 5:44:02 PM
mozilla.dev.security 649 articles. 0 followers. Post Follow

0 Replies

Similar Articles

[PageSpeed] 39