1286083 - Invisible background page can navigate to arbitrary URLs

Status: NEW

(WebExtensions :: General, defect, P5)

Description

[Rob Wu [:robwu]]

Attachment: bug-load-any-test-case-2.zip

Background pages should not be able to navigate to arbitrary URLs.

Test case 1 (main frame-initiated navigation):
1. Inspect any background page.
2. location.href = 'http://example.com/';
3. Wait a second.
4. document.documentElement.outerHTML;

Result  : Step 4 looks like example.com
Expected: Step 2 should fail, the navigation should be rejected.

Test case 2 (child frame-initiated navigation):
1. Load the attached addon via about:debugging
2. (The addon's background page inserts a frame, the frame has a script that navigates the top-level frame to example.com)
3. Debug the background page via about:debugging
4. Type location.href

Result  : http://example.com/
Expected: moz-extension://...

Comment 1

[Kris Maglione [:kmag]]

I don't think this is a big deal (now that bug 1226423 is fixed, anyway). If the background page wants to load remote iframes, it should sandbox them.

I don't have any objection to preventing this, though.

Comment 2

[Firefox Bug Husbandry Bot]

Bulk move of bugs per https://bugzilla.mozilla.org/show_bug.cgi?id=1483958

Comment 3

[Shane Caraveo (:mixedpuppy)]

This seems to have been assigned ages ago, so removing that and put it in jira to go into the backlog.

Comment 4

[Rob Wu [:robwu]]

We've discussed this in the WECG today (https://github.com/w3c/webextensions/issues/191), and the consensus is to block the ability to navigate to remote URLs.