Open
Bug 1286083
Opened 9 years ago
Updated 1 year ago
Invisible background page can navigate to arbitrary URLs
Categories
(WebExtensions :: General, defect, P5)
WebExtensions
General
Tracking
(Not tracked)
NEW
People
(Reporter: robwu, Unassigned)
References
Details
(Whiteboard: [addons-jira][wecg])
Attachments
(1 file)
|
783 bytes,
application/zip
|
Details |
Background pages should not be able to navigate to arbitrary URLs.
Test case 1 (main frame-initiated navigation):
1. Inspect any background page.
2. location.href = 'http://example.com/';
3. Wait a second.
4. document.documentElement.outerHTML;
Result : Step 4 looks like example.com
Expected: Step 2 should fail, the navigation should be rejected.
Test case 2 (child frame-initiated navigation):
1. Load the attached addon via about:debugging
2. (The addon's background page inserts a frame, the frame has a script that navigates the top-level frame to example.com)
3. Debug the background page via about:debugging
4. Type location.href
Result : http://example.com/
Expected: moz-extension://...
|
||
Comment 1•9 years ago
|
||
I don't think this is a big deal (now that bug 1226423 is fixed, anyway). If the background page wants to load remote iframes, it should sandbox them.
I don't have any objection to preventing this, though.
|
|
||
Updated•9 years ago
|
Whiteboard: triaged
|
||
Updated•8 years ago
|
Priority: -- → P5
|
||
Updated•7 years ago
|
Product: Toolkit → WebExtensions
|
||
Comment 2•7 years ago
|
||
Bulk move of bugs per https://bugzilla.mozilla.org/show_bug.cgi?id=1483958
Component: Untriaged → General
|
|
||
Updated•4 years ago
|
See Also: → https://jira.mozilla.com/browse/WEBEXT-32
|
|
||
Updated•4 years ago
|
See Also: https://jira.mozilla.com/browse/WEBEXT-32 →
|
Reporter | |
Updated•3 years ago
|
See Also: → https://github.com/w3c/webextensions/issues/191
Whiteboard: triaged → [wecg]
|
||
Updated•3 years ago
|
Whiteboard: [wecg] → [addons-jira][wecg]
|
||
Updated•3 years ago
|
|
|
||
Comment 3•3 years ago
|
||
This seems to have been assigned ages ago, so removing that and put it in jira to go into the backlog.
Assignee: rob → nobody
Status: ASSIGNED → NEW
|
|
Reporter | |
Comment 4•3 years ago
|
||
We've discussed this in the WECG today (https://github.com/w3c/webextensions/issues/191), and the consensus is to block the ability to navigate to remote URLs.
|
|
||
Updated•3 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•