1317166 - Allow opening data: URIs from tabs.create

Status: NEW

(WebExtensions :: Frontend, defect, P5)

Description

[Tomislav Jovanovic :zombie]

This was forbidden to prevent those tabs inheriting the Principal, but in bug 1310331, we added a flag that prevents that from happening, so we should allow it.

Comment 1

[Jonathan Kingston [:jkt] he/him]

Out of interest what is the use-case(s) for doing this?

Comment 2

[Dietrich Ayala (:dietrich)]

Viewing images, or dynamically-generated pages, or interesting things we cannot predict :)

A good rule of thumb might be that if we can open it in a browser tab, we should be able to open it via this API. Anything else will come back to haunt us sooner or later.

Comment 5

[Rob Wu [:robwu]]

Top-level navigations from web content is blocked because of phishing concerns:
https://blog.mozilla.org/security/2017/11/27/blocking-top-level-navigations-data-urls-firefox-59/

Extensions are somewhat more trusted, so it is probably safe to allow opening data:-URIs..

Comment 6

[beyer]

Use case: For internal testing of our add-on we have a browser action context menu action which opens a new tab containing debug information. In Chrome, something like this work:

```
const dataUri = "data:text/plain;base64," + encodeURIComponent(btoa(JSON.stringify(loggedObject, null, "\t")));
chrome.tabs.create({ url: dataUri}); 
```

But we run into this issue with Firefox.

Comment 7

[Dietrich Ayala (:dietrich)]

Set the addon-compat keyword because this works in Chrome per comment #6.

Comment 8

[Christiane Ruetten [INACTIVE]]

Looks like if the principal is inherited, there is potential to circumvent all sorts of security restrictions by passing JS encoded in data URLs to the new tab. If the principal is not inherited, this could be safe. So what's the principal the new tab gets?

Comment 9

[Rob Wu [:robwu]]

triggeringPrincipal = moz-extension://uuid/
document's principal = null principal

Even with security.data_uri.unique_opaque_origin=false, the principal should be the null principal.

(In the current implementation, it would be the moz-extension principal, but that is going to change in bug 1488053).


(even if javascript:-URLs do not inherit the principal, then we should not allow it via tabs.create/tabs.update, because I have seen many extensions extensions prone to UXSS because they failed to sanitize inputs)

Comment 10

[13hu]

As an extension developer, what is the best, working way to send background data to a new window ?

I tried tabs.executeScript with window.open (https://stackoverflow.com/questions/11965087/open-a-new-tab-window-and-write-something-to-it/49019549#49019549), but that gives a permission error Error: Permission denied to access property "document" on cross-origin object

Comment 11

[Rob Wu [:robwu]]

(In reply to 13hu from comment #10)

As an extension developer, what is the best, working way to send background data to a new window ?

Bundle an extension page with your extension, and pass the content via extension messaging or the URL. If you use the URL, make sure that there are protections in place to prevent others (web pages/extension/user) from breaking your extension when forged data is passed.

I tried tabs.executeScript with window.open (https://stackoverflow.com/questions/11965087/open-a-new-tab-window-and-write-something-to-it/49019549#49019549), but that gives a permission error Error: Permission denied to access property "document" on cross-origin object

That is unrelated to this issue; I filed a new bug at bug 1616228.

Comment 12

[BugBot [:suhaib / :marco/ :calixte]]

The severity field for this bug is relatively low, S3. However, the bug has 10 votes.
:robwu, could you consider increasing the bug severity?

For more information, please visit auto_nag documentation.

Comment 13

[BugBot (nomail) [:suhaib / :marco/ :calixte]]

The last needinfo from me was triggered in error by recent activity on the bug. I'm clearing the needinfo since this is a very old bug and I don't know if it's still relevant.