1 files changed, 161 insertions, 0 deletions

diff --git a/toolkit/components/extensions/test/xpcshell/test_ext_schemas_privileged.js b/toolkit/components/extensions/test/xpcshell/test_ext_schemas_privileged.js
new file mode 100644
index 0000000000..e2da7e5a74
--- /dev/null
+++ b/toolkit/components/extensions/test/xpcshell/test_ext_schemas_privileged.js
@@ -0,0 +1,161 @@
+"use strict";
+
+const { ExtensionAPI } = ExtensionCommon;
+
+AddonTestUtils.init(this);
+AddonTestUtils.overrideCertDB();
+AddonTestUtils.usePrivilegedSignatures = false;
+AddonTestUtils.createAppInfo(
+  "xpcshell@tests.mozilla.org",
+  "XPCShell",
+  "1",
+  "42"
+);
+
+add_setup(async () => {
+  const schema = [
+    {
+      namespace: "privileged",
+      permissions: ["mozillaAddons"],
+      properties: {
+        test: {
+          type: "any",
+        },
+      },
+    },
+  ];
+
+  class API extends ExtensionAPI {
+    getAPI(context) {
+      return {
+        privileged: {
+          test: "hello",
+        },
+      };
+    }
+  }
+
+  const modules = {
+    privileged: {
+      url: URL.createObjectURL(new Blob([API.toString()])),
+      schema: `data:,${JSON.stringify(schema)}`,
+      scopes: ["addon_parent"],
+      paths: [["privileged"]],
+    },
+  };
+
+  Services.catMan.addCategoryEntry(
+    "webextension-modules",
+    "test-privileged",
+    `data:,${JSON.stringify(modules)}`,
+    false,
+    false
+  );
+
+  await AddonTestUtils.promiseStartupManager();
+
+  registerCleanupFunction(async () => {
+    await AddonTestUtils.promiseShutdownManager();
+    Services.catMan.deleteCategoryEntry(
+      "webextension-modules",
+      "test-privileged",
+      false
+    );
+  });
+});
+
+add_task(
+  {
+    // Some builds (e.g. thunderbird) have experiments enabled by default.
+    pref_set: [["extensions.experiments.enabled", false]],
+  },
+  async function test_privileged_namespace_disallowed() {
+    // Try accessing the privileged namespace.
+    async function testOnce({
+      isPrivileged = false,
+      temporarilyInstalled = false,
+    } = {}) {
+      let extension = ExtensionTestUtils.loadExtension({
+        manifest: {
+          permissions: ["mozillaAddons", "tabs"],
+        },
+        background() {
+          browser.test.sendMessage(
+            "result",
+            browser.privileged instanceof Object
+          );
+        },
+        isPrivileged,
+        temporarilyInstalled,
+      });
+
+      if (temporarilyInstalled && !isPrivileged) {
+        ExtensionTestUtils.failOnSchemaWarnings(false);
+        let { messages } = await promiseConsoleOutput(async () => {
+          await Assert.rejects(
+            extension.startup(),
+            /Using the privileged permission/,
+            "Startup failed with privileged permission"
+          );
+        });
+        ExtensionTestUtils.failOnSchemaWarnings(true);
+        AddonTestUtils.checkMessages(
+          messages,
+          {
+            expected: [
+              {
+                message:
+                  /Using the privileged permission 'mozillaAddons' requires a privileged add-on/,
+              },
+            ],
+          },
+          true
+        );
+        return null;
+      }
+      await extension.startup();
+      let result = await extension.awaitMessage("result");
+      await extension.unload();
+      return result;
+    }
+
+    // Prevents startup
+    let result = await testOnce({ temporarilyInstalled: true });
+    equal(
+      result,
+      null,
+      "Privileged namespace should not be accessible to a regular webextension"
+    );
+
+    result = await testOnce({ isPrivileged: true });
+    equal(
+      result,
+      true,
+      "Privileged namespace should be accessible to a webextension signed with Mozilla Extensions"
+    );
+
+    // Allows startup, no access
+    result = await testOnce();
+    equal(
+      result,
+      false,
+      "Privileged namespace should not be accessible to a regular webextension"
+    );
+  }
+);
+
+// Test that Extension.jsm and schema correctly match.
+add_task(function test_privileged_permissions_match() {
+  const { PRIVILEGED_PERMS } = ChromeUtils.importESModule(
+    "resource://gre/modules/Extension.sys.mjs"
+  );
+  let perms = Schemas.getPermissionNames(["PermissionPrivileged"]);
+  if (AppConstants.platform == "android") {
+    perms.push("nativeMessaging");
+  }
+  Assert.deepEqual(
+    Array.from(PRIVILEGED_PERMS).sort(),
+    perms.sort(),
+    "List of privileged permissions is correct."
+  );
+});