Invisible background page can navigate to arbitrary URLs

ASSIGNED
Assigned to

Status

()

Toolkit
WebExtensions: Untriaged
P5
normal
ASSIGNED
2 years ago
9 months ago

People

(Reporter: robwu, Assigned: robwu)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: triaged)

Attachments

(1 attachment)

(Assignee)

Description

2 years ago
Created attachment 8769918 [details]
bug-load-any-test-case-2.zip

Background pages should not be able to navigate to arbitrary URLs.

Test case 1 (main frame-initiated navigation):
1. Inspect any background page.
2. location.href = 'http://example.com/';
3. Wait a second.
4. document.documentElement.outerHTML;

Result  : Step 4 looks like example.com
Expected: Step 2 should fail, the navigation should be rejected.

Test case 2 (child frame-initiated navigation):
1. Load the attached addon via about:debugging
2. (The addon's background page inserts a frame, the frame has a script that navigates the top-level frame to example.com)
3. Debug the background page via about:debugging
4. Type location.href

Result  : http://example.com/
Expected: moz-extension://...
I don't think this is a big deal (now that bug 1226423 is fixed, anyway). If the background page wants to load remote iframes, it should sandbox them.

I don't have any objection to preventing this, though.

Updated

2 years ago
Whiteboard: triaged
See Also: → bug 1392997

Updated

9 months ago
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.