Closed Bug 1227460 Opened 9 years ago Closed 9 years ago

chrome.tabs.executeScript API doesn't check host permissions

Categories

(WebExtensions :: Untriaged, defect)

Product:
WebExtensions
Component:
Untriaged
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1193837

People

(Reporter: sdna.muneaki.nishimura, Unassigned)

References

Details

(Keywords: sec-high, Whiteboard: [tabs])

Attachments

(1 file)

executeScript.xpi
1.05 KB, application/zip
Details
Attached file executeScript.xpi 
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36

Steps to reproduce:

The 'chrome.tabs.executeScript' API doesn't check host permissions so any extensions can inject content scripts to any websites without user's consent.
Attached is a sample extension that can reproduce the issue.



Actual results:

Open a website in a tab. When you click the buttons in the extension, a script file is injected to the website and an alert dialog with their URL of website is shown. However, manifest.json of this extension doesn't declare any permissions.



Expected results:

The executeScript should not inject scripts if target URL doesn't match host permissions of an extension.
MDN describes that host permissions affects to the target host of tabs.executeScript but it seems that is not implemented appropriately.
https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/permissions
Component: General → WebExtensions
Flags: needinfo?(amckay)
Product: Core → Toolkit
Flags: needinfo?(amckay)
Keywords: sec-high
Depends on: 1193837, 1197420
Group: core-security
Whiteboard: [tabs]
Flags: blocking-webextensions?
This is a direct dupe.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Product: Toolkit → WebExtensions
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: