Expose API to whitelisted pages to preview recipe actions in the add-on

[Osmose]

When installed, the system add-on should make some form of API available to a whitelisted set of domains that allows them to execute actions in "testing" mode. This will be used on the preview page in the control interface to preview how a recipe will behave.

The whitelisting mechanism should be similar to how UITour's whitelist behaves: http://bedrock.readthedocs.io/en/latest/uitour.html

This was originally mozilla/normandy-addon#30 in the add-on repo.

[Osmose]

UITour does this in https://dxr.mozilla.org/mozilla-central/source/browser/components/uitour/content-UITour.js. It gets registered on the browser message manager in https://dxr.mozilla.org/mozilla-central/source/browser/base/content/browser.js#1159, but @Mossop says we can just use Services.mm instead (see https://dxr.mozilla.org/mozilla-central/source/toolkit/modules/Services.jsm?q=path%3Aservices.jsm&redirect_type=single#51).

[Mossop]

The one difference between using Services.mm and the message manager that UITour uses is that UITour's will only see events from webpages loaded in tab while Services.mm will see events from any webpage, so for example the sidebar, webextension panels etc. Since you're going to be doing domain checking I wouldn't expect that to be an issue though but if needs be you can do additional verification when sending a message up to the main process that the page is actually in a tab.

[Osmose]

@Mossop @gijsk I have a question while I'm looking over the UITour implementation:

UITour uses nsiPermissionManager to check for origins that have permission to use UITour, and add the origins they care about to the list of default permissions. However, as a system add-on, we'd have to manually add the origins we care about on startup to the permissions manager anyway (or at least once; I can't tell if they persist after being added).

Given that, is there any point to using nsiPermissionManager if we're going to be doing our own domain checking for test origins anyway?

[Mossop]

I don't think there is any need to use the permissions manager, just hardcode your domains.

[gijsk]

nsIPermissionManager does persist, but I agree with Mossop that hand-rolling this is fine, on the assumption that we get the relevant checks correct. :-)

(Basically, what I think you'll want is checking document.nodePrincipal and checking that that matches some whitelisted principal.)

[Osmose]

After talking with ulfr, I filed bug 1359198 to get feedback/approval on the security model of this feature.

[Osmose]

This is blocked until the discussion in that bug is resolved.

[mythmon]

We have decided to remove the preview feature entirely.