Skip to content

Unable to run extension host on new Phabricator versions

Created by: ijsnow

@chrismwendt and I discovered that new Phabricator versions add a content security policy to pages that doesn't include blob:, meaning the web worker containing the extension host is blocked from loading. We are able to add new URIs to Phabricator's CSP via our Phabricator extension, however we can't add blob: or unsafe-eval.

We need another way to run the extension host in order for extensions to work with new Phabricator versions. Chris and I discussed two possible options.

Inline the web worker code

We know that Phabricator's CSP doesn't prevent us from injecting <script> tags, because that's how we inject phabricator.bundle.js. With this, we can try to inline the web worker code

This is the simplest option we discussed.

Run extension host in page

If the first option doesn't work, we'll have to make changes to the extension host to enable it to run in page as another script tag. This solution is much more involved. We'd have to solve for the following problems:

  1. Create a new message passing layer that previously was for communicating between extensions and the host. This is mostly just an implementation detail as it'll be less complicated since code will all running in the same context now.
  2. Running extensions without the ability to use unsafe-eval. This can be solved by running the extensions in newly injected <script> tags. The problem with this, however, is that we'd need to sandbox them and provide the extensions API by adding a polyfill for require. We could sandbox the extensions by fetching the raw file contents and wrapping it in an immediately invoked function and placing it in a script tag like so:
<script>
(function (require, ...) {
${extension code}
})(requirePolyfill, ...)
</script>

The hard part of this solution would be ensuring that the compiled extensions receive all the resources it needs properly.

Update: this should be fixed in 3.4-c milestone.