Closed Bug 1342418 Opened 7 years ago Closed 7 years ago

run_at is ignored on content scripts when a dynamically created iframe (about_blank) is attached to a page

Categories

(WebExtensions :: Untriaged, defect)

Product:
WebExtensions
Component:
Untriaged
Version:
53 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: jeremy.schomery, Unassigned)

Details

(Whiteboard: investigating) 

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Steps to reproduce:

FF 53.0a2 (2017-02-22), `run_at` is set to `document_start` and "match_about_blank" is set to true for a content script.

Example Script:
```js
var iframe = document.createElement('iframe');
document.body.appendChild(iframe);
var link = iframe.contentDocument.createElement('a');
link.target = '_blank';
link.src = 'http://example.com/';
link.click();
document.body.removeChild(iframe);
```




Actual results:

content script is injected at `document_end` instead of `document_start` (based on https://bugzilla.mozilla.org/show_bug.cgi?id=1272890#c43). Basically `run_at` is ignored.

Based on my comment at https://bugzilla.mozilla.org/show_bug.cgi?id=1272890#c44 this can cause security problems with extensions that suppose to block different things in newly created iframes. For instance a malicious script can open a link before a security extension is aware of iframe existence.

Also since content script is not being injected before other scripts, it is not possible to overwrite or protect JavaScripts objects like `window.open` in iframes and hence the parent document.

```js
var iframe = document.createElement('iframe');
document.body.appendChild(iframe);
window.open = iframe.contentWindow.open;
```


Expected results:

content script should be injected before page scripts are injected
OS: Unspecified → All
Hardware: Unspecified → All
Summary: run_at is ignored on content scripts when a dynamically created iframe (about_blank) is attache to the page → run_at is ignored on content scripts when a dynamically created iframe (about_blank) is attache to a page
Summary: run_at is ignored on content scripts when a dynamically created iframe (about_blank) is attache to a page → run_at is ignored on content scripts when a dynamically created iframe (about_blank) is attached to a page
Component: Untriaged → WebExtensions: Untriaged
Product: Firefox → Toolkit
looking into
Flags: needinfo?(kmaglione+bmo)
Whiteboard: investigating
about:blank documents are special, and don't really have load states. They have no scripts of their own, so there are no page scripts to ensure that content scripts are run before. It's possible for same-origin pages to execute scripts in about:blank pages before extension content scripts, but that also goes for content scripts in any other pages. All we can guarantee is that content scripts are executed very early in the load cycle, not that nothing else gets access to the window before they do.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Flags: needinfo?(kmaglione+bmo)
Resolution: --- → WONTFIX
Product: Toolkit → WebExtensions
You need to log in before you can comment on or make changes to this bug.