Closed
Bug 1227460
Opened 9 years ago
Closed 9 years ago
chrome.tabs.executeScript API doesn't check host permissions
Categories
(WebExtensions :: Untriaged, defect)
WebExtensions
Untriaged
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 1193837
People
(Reporter: sdna.muneaki.nishimura, Unassigned)
References
Details
(Keywords: sec-high, Whiteboard: [tabs])
Attachments
(1 file)
1.05 KB,
application/zip
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36 Steps to reproduce: The 'chrome.tabs.executeScript' API doesn't check host permissions so any extensions can inject content scripts to any websites without user's consent. Attached is a sample extension that can reproduce the issue. Actual results: Open a website in a tab. When you click the buttons in the extension, a script file is injected to the website and an alert dialog with their URL of website is shown. However, manifest.json of this extension doesn't declare any permissions. Expected results: The executeScript should not inject scripts if target URL doesn't match host permissions of an extension. MDN describes that host permissions affects to the target host of tabs.executeScript but it seems that is not implemented appropriately. https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/permissions
Updated•9 years ago
|
Component: General → WebExtensions
Flags: needinfo?(amckay)
Product: Core → Toolkit
Updated•9 years ago
|
Flags: needinfo?(amckay)
Updated•9 years ago
|
Updated•9 years ago
|
Group: core-security
Updated•9 years ago
|
Whiteboard: [tabs]
Updated•9 years ago
|
Flags: blocking-webextensions?
This is a direct dupe.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Updated•6 years ago
|
Product: Toolkit → WebExtensions
You need to log in
before you can comment on or make changes to this bug.
Description
•