1247081 - Security error when setting the src of an iframe to a moz-extension:// url with a hash fragment

Status: VERIFIED FIXED

(WebExtensions :: Untriaged, defect, P1)

Description

[Andrew Sprouse]

Attachment: hellow.xpi.zip

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.103 Safari/537.36

Steps to reproduce:

1. Ensure you have the prerequisites for running a WebExtension (https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Walkthrough#Prerequisites)

2. Open about:addons and load the attached hellow.xpi
3. Open a url such as http://web.mit.edu/
4. Click on the plugin's browser action button in the toolbar




Actual results:

1. The iFrame appears empty
2. "Security Error: Content at http://web.mit.edu/ may not load or link to moz-extension://3d75a866-3a3e-d04e-958b-48d0982bcb09/app/index.html#/hash/fragment" in the console


Expected results:

1. The iFrame should appear and display the text "HELLO WORLD"

Comment 1

[Kris Maglione [:kmag]]

Attachment: MozReview Request: Bug 1247081: Support fragment IDs and query strings in web_accessible_resources URLs. r?billm

Review commit: https://reviewboard.mozilla.org/r/35931/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/35931/

Comment 2

[Bill McCloskey [inactive unless it's an emergency] (:billm)]

Comment on attachment 8722257 [details]
MozReview Request: Bug 1247081: Support fragment IDs and query strings in web_accessible_resources URLs. r?billm

https://reviewboard.mozilla.org/r/35931/#review33019

Comment 3

[Kris Maglione [:kmag]]

https://hg.mozilla.org/integration/fx-team/rev/ec700560eba22e7efcb4e263650bc5e88f65d4bf
Bug 1247081: Support fragment IDs and query strings in web_accessible_resources URLs. r=billm

Comment 4

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/ec700560eba2

Comment 5

[Vasilica Tamas, QA [:vtamas]]

Attachment: video-1459950083.mp4

I was able to reproduce this issue on Firefox 47.0a1 (2016-01-29) under Windows 10 64-bit.

Tested on latest Firefox 48.0a1 (2016-04-06) using https://addons.allizom.org/en-US/firefox/addon/testfor1247081/ under Windows 10 64-bit, Ubuntu 12.04 32-bit and Mac OS X 10.11 and noticed the following:
  - "HELLO WORLD" is successfully displayed
  - No errors are thrown in browser console
But, 
  - The webextension’s icon is not displayed in toolbar and about:addons: http://i.imgur.com/pdBJlvd.jpg
  - There are 2 different alternative opening animations encountered. See attached screenscast.
 
Should I file new bugs for these issues?

I was unable to test this bug on Firefox 47.0a2 (2016-04-06) because the webextension seems to be corrupted under this Firefox version even with the xpinstall.signatures.dev-root pref set to true.
Do you know why?

Comment 6

[Kris Maglione [:kmag]]

(In reply to Vasilica Mihasca, QA [:vasilica_mihasca] from comment #5)
>   - The webextension’s icon is not displayed in toolbar and about:addons:
> http://i.imgur.com/pdBJlvd.jpg

The extension doesn't actually include the image files it lists as icons, so I
don't think this is a bug.

>   - There are 2 different alternative opening animations encountered. See
> attached screenscast.

That UI is all implemented by the add-on, as a content script, so this is also a bug in the add-on rather than the browser.

> I was unable to test this bug on Firefox 47.0a2 (2016-04-06) because the
> webextension seems to be corrupted under this Firefox version even with the
> xpinstall.signatures.dev-root pref set to true.
> Do you know why?

It's because of the "default_locale" property under "browser_action", which
isn't legal.

Comment 7

[Vasilica Tamas, QA [:vtamas]]

Thanks for clarifying this!

Based on Comment 5 and Comment 6, I am marking this bug as Verified, since none of the above mentioned issues are Firefox specific.