PayPal integration

There seems to be a conflict between what PayPal considers secure use of its APIs and what Mozilla considers a security risk for plugins listed on its addons.mozilla.org site:

PayPal clearly states that its .js libraries SHOULD NOT be hosted locally so that the latest version (containing their latest security fixes) is always directly fetched from THEIR server. (APIs like their “Smart Buttons” then rely on dynamically generated files - see https://www.paypal.com/sdk/js - that cannot even be hosted locally).

In order to add some “buy license” option in a “Firefox extension” the most logical thing to do would seem to directly use a respective PayPal API on the options page. And using a

"content_security_policy": "script-src 'self' https://www.paypal.com; object-src 'self'",

in the manifest.json would seem to be the most sensible thing to allow direct use of the PayPal API… unless you think that PayPal is an inherently malicious / dangerous site. But from what I understand (see https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy#exampleNote_1) this is apparently considered a major security issue by Mozilla and therefore not allowed… seriously?

So what is Mozilla’s recommended “secure” way to integrate “PayPal payment” functionality into a plugin’s options such that a plugin can detect if a payment has been made - so that it can automatically register the purchased license key?

If you are dealing with “licenses” for content you will almost always want to run a web service that hands out and validates licenses. Thus the license purchase would also take place on a remote page, solving this issue.

1 Like

It is true that modifying the CSP of your extension to allow ‘https://www.paypal.com’ (or any external content) do create some major security issues.

It’s against the “Add-ons must be self-contained and not load remote code for execution” policy at https://extensionworkshop.com/documentation/publish/add-on-policies/

I would go with freaktechnik idea; handling the licensing / payment on an external website.

1 Like

Thanks for the feedback. Having some remote page handle all the respective functionality is certainly a workaround to deal with this scenario (and I’ll probably have to go with it).

However, the respective policies make little sense from my perspective: The “self-contained” extension now not only depends on some PayPal server (which probably has good availability and response times) but also on some additional server (with maybe not so good availability) and it will likely just worsen the user experience.

It is just silly that all the pages of an extension automatically run in some privileged mode (and therefore potentially cause “major security issues”). The sensible thing would be to also allow bundled pages that just run in the environment of regular web pages… with no additional “security issues” as compared to remotely loaded pages… and the extension would THEN be so much more “self contained”.

PS: given the poor / non-existing possibilities to protect extension code against tampering (ppl can easily disable whatever licensing logic is present and then load the hacked code in development mode, or have Mozilla automatically sign it as “non-listed” test-code), I think that it is just a useless waste of effort to setup fancy license server infrastructure when dealing with this Mickey Mouse environment.