Open
Bug 1286083
Opened 8 years ago
Updated 9 months ago
Invisible background page can navigate to arbitrary URLs
Categories
(WebExtensions :: General, defect, P5)
WebExtensions
General
Tracking
(Not tracked)
NEW
People
(Reporter: robwu, Unassigned)
References
Details
(Whiteboard: [addons-jira][wecg])
Attachments
(1 file)
783 bytes,
application/zip
|
Details |
Background pages should not be able to navigate to arbitrary URLs. Test case 1 (main frame-initiated navigation): 1. Inspect any background page. 2. location.href = 'http://example.com/'; 3. Wait a second. 4. document.documentElement.outerHTML; Result : Step 4 looks like example.com Expected: Step 2 should fail, the navigation should be rejected. Test case 2 (child frame-initiated navigation): 1. Load the attached addon via about:debugging 2. (The addon's background page inserts a frame, the frame has a script that navigates the top-level frame to example.com) 3. Debug the background page via about:debugging 4. Type location.href Result : http://example.com/ Expected: moz-extension://...
Comment 1•8 years ago
|
||
I don't think this is a big deal (now that bug 1226423 is fixed, anyway). If the background page wants to load remote iframes, it should sandbox them. I don't have any objection to preventing this, though.
Updated•8 years ago
|
Whiteboard: triaged
Updated•7 years ago
|
Priority: -- → P5
Updated•6 years ago
|
Product: Toolkit → WebExtensions
Comment 2•6 years ago
|
||
Bulk move of bugs per https://bugzilla.mozilla.org/show_bug.cgi?id=1483958
Component: Untriaged → General
Updated•3 years ago
|
See Also: → https://jira.mozilla.com/browse/WEBEXT-32
Updated•3 years ago
|
See Also: https://jira.mozilla.com/browse/WEBEXT-32 →
Reporter | ||
Updated•2 years ago
|
See Also: → https://github.com/w3c/webextensions/issues/191
Whiteboard: triaged → [wecg]
Updated•2 years ago
|
Whiteboard: [wecg] → [addons-jira][wecg]
Updated•2 years ago
|
Comment 3•2 years ago
|
||
This seems to have been assigned ages ago, so removing that and put it in jira to go into the backlog.
Assignee: rob → nobody
Status: ASSIGNED → NEW
Reporter | ||
Comment 4•2 years ago
|
||
We've discussed this in the WECG today (https://github.com/w3c/webextensions/issues/191), and the consensus is to block the ability to navigate to remote URLs.
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•