Closed Bug 1227453 Opened 10 years ago Closed 10 years ago

chrome.cookies API doesn't check host permissions

Categories

(WebExtensions :: Untriaged, defect)

Product:
WebExtensions
Component:
Untriaged
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1210996

People

(Reporter: sdna.muneaki.nishimura, Unassigned)

References

Details

(Keywords: sec-high)

Attachments

(1 file)

cookies.xpi
1.22 KB, application/zip
Details
Attached file cookies.xpi
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36 Steps to reproduce: The 'chrome.cookies' API for WebExtensions ignores host permissions. It allows an extension having no host permission to access all domain's cookie data in Firefox. Attached is a sample extension that can reproduce the issue. Actual results: When you click the button of this extension you can see all cookies in Firefox regardless of their origin. However manifest.json of this extension declares "http://csrf.jp/*" only. Expected results: The same API in Chrome restricts access of cookie by both 'cookies' and host permissions (see following URL). Firefox should have the same restriction. https://developer.chrome.com/extensions/cookies
Component: General → WebExtensions
Flags: needinfo?(amckay)
Product: Core → Toolkit
Flags: needinfo?(amckay)
Keywords: sec-high
Group: core-security
Depends on: 1193837, 1197420
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Product: Toolkit → WebExtensions
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: