Closed
Bug 1273270
Opened 9 years ago
Closed 9 years ago
Specifying an URL inside the `permissions` field of manifest.json should allow all possible interactions from the extension with the URL
Categories
(WebExtensions :: Untriaged, defect)
WebExtensions
Untriaged
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: ntim, Unassigned)
References
Details
STR:
- Install BMFG: https://addons.allizom.org/en-US/firefox/addon/black-menu-for-google/
- Open the panel
- Use various pages (notably the Search, Translate, Flights pages, but many other pages are affected)
AR:
Those pages don't load at all, and these errors appear in the Browser Console:
Security Error: Content at https://www.google.com/flights/?extension=blackmenu&gl=US&extensionId=googleblackmenu@example.com&authuser=0# may not load data from moz-extension://46e6cdab-1a5d-9f48-89a3-9334e910b233/app.html.
Load denied by X-Frame-Options: https://translate.google.com/m/translate?extension=blackmenu&extensionId=googleblackmenu@example.com&authuser=0# does not permit framing.
Failed to execute ‘postMessage’ on ‘DOMWindow’: The target origin provided (‘https://www.google.com’) does not match the recipient window’s origin (‘https://www.google.com’).
Load denied by X-Frame-Options: https://www.google.com/search?extension=blackmenu&extensionId=googleblackmenu%40example.com&authuser=0&q=test&fg=1&gws_rd=cr# does not permit cross-origin framing.
TypeError: NetworkError when attempting to fetch resource.
ER:
These errors should not appear, and the pages should load as those URIs are specified within the permissions field of manifest.json.
Note that this extension works well on chrome: https://chrome.google.com/webstore/detail/black-menu-for-google/eignhdfgaldabilaaegmdfbajngjmoke
|
||
Comment 1•9 years ago
|
||
There are several separate issues here.
(In reply to Tim Nguyen :ntim from comment #0)
> Security Error: Content at
> https://www.google.com/flights/
> ?extension=blackmenu&gl=US&extensionId=googleblackmenu@example.
> com&authuser=0# may not load data from
> moz-extension://46e6cdab-1a5d-9f48-89a3-9334e910b233/app.html.
This is unrelated. It means that the add-on is in some way trying to load
app.html into or from the page at that URL, which is not supported unless the
page is listed in web_accessible_resources.
> Load denied by X-Frame-Options:
> https://translate.google.com/m/
> translate?extension=blackmenu&extensionId=googleblackmenu@example.
> com&authuser=0# does not permit framing.
>
> Load denied by X-Frame-Options:
> https://www.google.com/
> search?extension=blackmenu&extensionId=googleblackmenu%40example.
> com&authuser=0&q=test&fg=1&gws_rd=cr# does not permit cross-origin framing.
I'm not sure why you'd expect having permissions for a site would override its
X-Frame-Options settings. It does give you cross-domain request access, but
X-Frame-Options is a different thing entirely.
> Failed to execute ‘postMessage’ on ‘DOMWindow’: The target origin provided
> (‘https://www.google.com’) does not match the recipient window’s origin
> (‘https://www.google.com’).
This is also unrelated.
> TypeError: NetworkError when attempting to fetch resource.
This error could mean anything, depending on the context.
|
Reporter | |
Comment 2•9 years ago
|
||
(In reply to Kris Maglione [:kmag] from comment #1)
> There are several separate issues here.
>
> (In reply to Tim Nguyen :ntim from comment #0)
> > Security Error: Content at
> > https://www.google.com/flights/
> > ?extension=blackmenu&gl=US&extensionId=googleblackmenu@example.
> > com&authuser=0# may not load data from
> > moz-extension://46e6cdab-1a5d-9f48-89a3-9334e910b233/app.html.
>
> This is unrelated. It means that the add-on is in some way trying to load
> app.html into or from the page at that URL, which is not supported unless the
> page is listed in web_accessible_resources.
I'm going to ask the extension author if he can try that solution.
> > Load denied by X-Frame-Options:
> > https://translate.google.com/m/
> > translate?extension=blackmenu&extensionId=googleblackmenu@example.
> > com&authuser=0# does not permit framing.
> >
> > Load denied by X-Frame-Options:
> > https://www.google.com/
> > search?extension=blackmenu&extensionId=googleblackmenu%40example.
> > com&authuser=0&q=test&fg=1&gws_rd=cr# does not permit cross-origin framing.
>
> I'm not sure why you'd expect having permissions for a site would override
> its
> X-Frame-Options settings. It does give you cross-domain request access, but
> X-Frame-Options is a different thing entirely.
The frame views fine on Chrome. I think this should be implemented for chrome parity.
> > Failed to execute ‘postMessage’ on ‘DOMWindow’: The target origin provided
> > (‘https://www.google.com’) does not match the recipient window’s origin
> > (‘https://www.google.com’).
>
> This is also unrelated.
I shouldn't have used "CORS" in my bug summary. The extension should be able to interact in every possible ways with a domain if the domain is included in the permissions field, postMessage is one of those ways. Again, it would be nice for chrome parity.
> > TypeError: NetworkError when attempting to fetch resource.
>
> This error could mean anything, depending on the context.
True.
Summary: Specifying an URL inside the `permissions` field of manifest.json should grant CORS permissions → Specifying an URL inside the `permissions` field of manifest.json should allow all possible interactions from the extension with the URL
|
|
||
Comment 3•9 years ago
|
||
(In reply to Tim Nguyen :ntim from comment #2)
> > I'm not sure why you'd expect having permissions for a site would override
> > its
> > X-Frame-Options settings. It does give you cross-domain request access, but
> > X-Frame-Options is a different thing entirely.
>
> The frame views fine on Chrome. I think this should be implemented for
> chrome parity.
It works on Chrome because the extension has a webRequest listener that
removes the security headers from the request, but does so in a way that isn't
currently supported in Firefox.
I filed bug 1273281 to prevent this. Either way, it's a separate issue.
> I shouldn't have used "CORS" in my bug summary. The extension should be able
> to interact in every possible ways with a domain if the domain is included
> in the permissions field, postMessage is one of those ways. Again, it would
> be nice for chrome parity.
Regardless, this is a separate issue, entirely unrelated to the ones in this
bug. My guess, though, is that this is also due to the extension's webRequest
listeners failing to mangle security headers.
|
|
||
Comment 4•9 years ago
|
||
the issues added have individual bugs already
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
|
||
Updated•7 years ago
|
Product: Toolkit → WebExtensions
You need to log in
before you can comment on or make changes to this bug.
Description
•