Open
Bug 1305109
Opened 8 years ago
Updated 2 years ago
postMessage from iframe cannot securely send to extension content-scripts in different frame
Categories
(WebExtensions :: General, defect, P3)
WebExtensions
General
Tracking
(Not tracked)
REOPENED
People
(Reporter: bugzilla.mozilla.org, Unassigned)
References
Details
(Whiteboard: triaged)
Since each content script is scoped to the domain of the |window| it is attached it cannot directly manipulate cross-origin frames and has to talk to separate content scripts attached to those frames.
But securely talking to those other content scripts is fairly difficult.
Attempting to use standard web APIs fails, e.g. top.postMessage("foo", "moz-extension://...") fails with the following error:
> Failed to execute ‘postMessage’ on ‘DOMWindow’: The target origin provided (‘moz-extension://...’) does not match the recipient window’s origin (‘https://www....’).
Expected behavior:
a) The message is sent anyway and can only be received by by the content script in the other frame
b) the message's |origin| is set to postMessage's |targetOrigin| if it's sent from an expanded principal and received on an expanded principal and both principals subsume targetOrigin.
In other words, when sending from a content script to a content script then both ends can be sure that only the content script was able to see it and not the page content.
|
||
Comment 1•8 years ago
|
||
Is this a regression?
|
||
Updated•8 years ago
|
Component: DOM → WebExtensions: Untriaged
Product: Core → Toolkit
|
||
Updated•8 years ago
|
Priority: -- → P3
Whiteboard: triaged
|
||
Comment 3•7 years ago
|
||
IIUC what is being attempted here, runtime.sendMessage can be used.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
I can't scope sendMessage's target to a specific window, so it seems like it would be quite inefficient due to broadcasting every event.
|
||
Updated•7 years ago
|
Product: Toolkit → WebExtensions
|
||
Comment 5•6 years ago
|
||
Not sure why this was closed. This is definitely something we ideally want. runtime.sendMessage is harder to target and has higher latency. We should make it as easy as possible for extensions to do the Right Thing.
Status: RESOLVED → REOPENED
Component: Untriaged → General
Ever confirmed: true
Resolution: INVALID → ---
I ran into this while trying to port Shumway to WebExtensions, since it uses window.postMessage to send data back and from the different rendering iframes and, during startup, the content script of the embedding page.
Blocks: webext, shumway-webext
See Also: → 1208775
|
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•