Skip to content

chore: resolve low-hanging web-ext warnings #1987

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Nov 13, 2025
Merged

chore: resolve low-hanging web-ext warnings #1987

merged 5 commits into from
Nov 13, 2025

Conversation

@AprilSylph
Copy link
Owner

@AprilSylph AprilSylph commented Nov 12, 2025
edited
Loading

Description

Resolves the following web-ext warnings:

NOTICES:

Code                                  Message                                         Description                                                                                   File            Line   Column
MISSING_DATA_COLLECTION_PERMISSIONS   The "data_collection_permissions" property is   "/browser_specific_settings/gecko/data_collection_permissions" property will be required in   manifest.json                
                                      missing.                                        the future. Please add this key to the manifest. More information at:                                                      
                                                                                      https://mzl.la/blog-data-consent-firefox-nightly                                                                           
WARNINGS:

Code                    Message                                Description                                                                                    File                               Line   Column
UNSAFE_VAR_ASSIGNMENT   Unsafe call to import for argument 0   Due to both security and performance concerns, this may not be set using dynamic values        features/accesskit/index.js        6      45    
                                                               which have not been adequately sanitized. This can lead to security issues or fairly serious                                                   
                                                               performance degradation.                                                                                                                       
UNSAFE_VAR_ASSIGNMENT   Unsafe call to import for argument 0   Due to both security and performance concerns, this may not be set using dynamic values        features/accesskit/index.js        17     50    
                                                               which have not been adequately sanitized. This can lead to security issues or fairly serious                                                   
                                                               performance degradation.                                                                                                                       
UNSAFE_VAR_ASSIGNMENT   Unsafe call to import for argument 0   Due to both security and performance concerns, this may not be set using dynamic values        features/no_recommended/index.js   6      45    
                                                               which have not been adequately sanitized. This can lead to security issues or fairly serious                                                   
                                                               performance degradation.                                                                                                                       
UNSAFE_VAR_ASSIGNMENT   Unsafe call to import for argument 0   Due to both security and performance concerns, this may not be set using dynamic values        features/no_recommended/index.js   17     50    
                                                               which have not been adequately sanitized. This can lead to security issues or fairly serious                                                   
                                                               performance degradation.                                                                                                                       
UNSAFE_VAR_ASSIGNMENT   Unsafe call to import for argument 0   Due to both security and performance concerns, this may not be set using dynamic values        features/tweaks/index.js           6      45    
                                                               which have not been adequately sanitized. This can lead to security issues or fairly serious                                                   
                                                               performance degradation.                                                                                                                       
UNSAFE_VAR_ASSIGNMENT   Unsafe call to import for argument 0   Due to both security and performance concerns, this may not be set using dynamic values        features/tweaks/index.js           17     50    
                                                               which have not been adequately sanitized. This can lead to security issues or fairly serious                                                   
                                                               performance degradation.

data_collection_permissions is easy to add; we don't collect any data. We don't even store the user's blogname for Quick Reblog's "Remember the last selected blog in the popup" option, we store a hash of it.

Resolving the AccessKit, No Recommended, and Tweaks warnings is also trivial; we just need to use browser.runtime.getURL to sanitise the argument to import() (which also requires using an absolute path). It's the tiniest bit messier than using unsanitised relative paths, but resolving six warnings from npm test seems worth it to me.

The remaining warnings are:

WARNINGS:

Code                    Message                                Description                                                                                    File                  Line   Column
UNSAFE_VAR_ASSIGNMENT   Unsafe call to import for argument 0   Due to both security and performance concerns, this may not be set using dynamic values        main_world/index.js   13     33    
                                                               which have not been adequately sanitized. This can lead to security issues or fairly serious                                      
                                                               performance degradation.                                                                                                          
UNSAFE_VAR_ASSIGNMENT   Unsafe assignment to innerHTML         Due to both security and performance concerns, this may not be set using dynamic values        lib/jquery.min.js     2      9984  
                                                               which have not been adequately sanitized. This can lead to security issues or fairly serious                                      
                                                               performance degradation.                                                                                                          
UNSAFE_VAR_ASSIGNMENT   Unsafe assignment to innerHTML         Due to both security and performance concerns, this may not be set using dynamic values        lib/jquery.min.js     2      36284 
                                                               which have not been adequately sanitized. This can lead to security issues or fairly serious                                      
                                                               performance degradation.                                                                                                          
UNSAFE_VAR_ASSIGNMENT   Unsafe assignment to innerHTML         Due to both security and performance concerns, this may not be set using dynamic values        lib/jquery.min.js     2      48683 
                                                               which have not been adequately sanitized. This can lead to security issues or fairly serious                                      
                                                               performance degradation.

I think it's safe to say that these cannot be resolved—there is no sanitiser which addons-linter would be satisfied with and which is usable in a main world script, and we can't do anything about the warnings coming from jQuery unless we completely ditch jQuery...

...which we could do if we really wanted to, since we don't use it for much...

...but that's for another day, or at the very least another PR!

Testing steps

  1. Load the modified addon
  2. Open a Tumblr tab
  3. Enable AccessKit, and toggle any option(s) that would visibly modify the page
    • Expected result: AccessKit options can be ran successfully
    • Expected result: AccessKit options can be destroyed successfully
  4. Enable No Recommended, and toggle any option(s) that would visibly modify the page
    • Expected result: No Recommended options can be ran successfully
    • Expected result: No Recommended options can be destroyed successfully
  5. Enable Tweaks, and toggle any option(s) that would visibly modify the page
    • Expected result: Tweaks options can be ran successfully
    • Expected result: Tweaks options can be destroyed successfully

marcustyphoon
marcustyphoon requested changes Nov 12, 2025
View reviewed changes
marcustyphoon
marcustyphoon approved these changes Nov 13, 2025
View reviewed changes
Copy link
Collaborator

@marcustyphoon marcustyphoon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works in Firefox 128 and Chrome 105.

@AprilSylph AprilSylph merged commit 39830f7 into master Nov 13, 2025
5 checks passed
@AprilSylph AprilSylph deleted the aprilsylph/web-ext-warnings branch November 13, 2025 09:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marcustyphoon marcustyphoon marcustyphoon approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@AprilSylph @marcustyphoon