Warn when webRequest filters don't overlap with host permissions

RESOLVED FIXED in Firefox 54

Status

defect
P2
normal
RESOLVED FIXED
2 years ago
Last year

People

(Reporter: kmag, Assigned: zombie)

Tracking

unspecified
mozilla55

Firefox Tracking Flags

(firefox54 fixed, firefox55 fixed)

Details

(Whiteboard: triaged)

Attachments

(3 attachments)

We should warn when an extension tries to add a webRequest listener which will never be called because its filters don't match any host permissions.

For instance, the following should not trigger a warning:

  permissions: "http://example.com/"
  addListener({urls: ["<all_urls>"]})

But the following should:

  permissions: "http://example.com/"
  addListener({urls: ["http://example.org/*"]})
Priority: -- → P2
Whiteboard: triaged
A nice algorithm problem..  ;)
Assignee: nobody → tomica
Status: NEW → ASSIGNED
Posted file globsOverlap.js
> A nice algorithm problem..  ;)

Nope.  Hosts permissions don't have the path component, so this is not as interesting of a problem as I expected -- namely, testing if two glob patterns can possibly overlap.

Alas, I noticed this only after writing the function, so I'm uploading it here, along with some basic tests, in case we ever need similar functionality.
Attachment #8851399 - Flags: review?(kmaglione+bmo)
Comment on attachment 8851399 [details]
Bug 1345225 - Check if webRequest filters overlap with host permissions

https://reviewboard.mozilla.org/r/123698/#review126124

Looks good, but I'm worried about domain substring matching.

::: toolkit/modules/addons/MatchPattern.jsm:117
(Diff revision 1)
> +    if (!this.schemes.some(scheme => other.schemes.includes(scheme))) {
> +      return false;
> +    }
> +    return this.host === other.host ||
> +           (this.host[0] === "*" && other.host.endsWith(this.host.slice(2))) ||
> +           (other.host[0] === "*" && this.host.endsWith(other.host.slice(2)));

Close, but what about `*.foo.com` vs. `barfoo.com`?

::: toolkit/modules/tests/xpcshell/test_MatchPattern.js:95
(Diff revision 1)
>    // Match url with fragments.
>    pass({url: "http://mozilla.org/base#some-fragment", pattern: "http://mozilla.org/base"});
>  }
> +
> +function test_overlaps() {
> +

Nit: Please remove blank line. I'm pretty sure ESLint will complain.

::: toolkit/modules/tests/xpcshell/test_MatchPattern.js:103
(Diff revision 1)
> +    const f = new MatchPattern(filter);
> +    return h.overlapsIgnoringPath(f) && f.overlapsIgnoringPath(h);
> +  }
> +
> +  function pass({hosts, filter}) {
> +    do_check_true(test(hosts, filter), `Expected to overlap: ${hosts}, ${filter}`);

Nit: s/do_check_true/ok/

::: toolkit/modules/tests/xpcshell/test_MatchPattern.js:107
(Diff revision 1)
> +  function pass({hosts, filter}) {
> +    do_check_true(test(hosts, filter), `Expected to overlap: ${hosts}, ${filter}`);
> +  }
> +
> +  function fail({hosts, filter}) {
> +    do_check_false(test(hosts, filter), `Expected no overlap: ${hosts}, ${filter}`);

Nit: s/do_check_false(/ok(!/
Attachment #8851399 - Flags: review?(kmaglione+bmo)
Comment on attachment 8851399 [details]
Bug 1345225 - Check if webRequest filters overlap with host permissions

https://reviewboard.mozilla.org/r/123698/#review126324

::: toolkit/modules/addons/MatchPattern.jsm:112
(Diff revision 2)
>    },
> +
> +  // Tests if this can possibly overlap with the |other| SingleMatchPattern.
> +  overlapsIgnoringPath(other) {
> +    return this.schemes.some(scheme => other.schemes.includes(scheme)) &&
> +           (this.hostMatch(other) || other.hostMatch(this));

D'oh, for missing the substring vs subdomain distinction.

I started adding the necesery checks, but it quickly got less elegant -- and hinting at the similar code from `getHostMatcher()` above.

The end result is so simple that it almost feels too good to be true?  ;)
webextensions: --- → ?
Comment on attachment 8851399 [details]
Bug 1345225 - Check if webRequest filters overlap with host permissions

https://reviewboard.mozilla.org/r/123698/#review127430

Sorry, two more things:

1) Since you wrote this, Andrew landed optional permissions, so we also need to consider `extension.optionalOrigins` when checking host permissions.

2) We should probably check that *all* of the URL filters match, rather than *some*. I can't think of a good reason why you'd want any of your URL filters to never match one of your actual host permissions.
Attachment #8851399 - Flags: review?(kmaglione+bmo)
webextensions: ? → ---
Comment on attachment 8851399 [details]
Bug 1345225 - Check if webRequest filters overlap with host permissions

https://reviewboard.mozilla.org/r/123698/#review127430

1) Assumed we don't need a warning when a filter only matches an optional host permission (granted or not).

2) Renamed the method, since it's not a generic/symetrical "overlap" anymore.
Comment on attachment 8851399 [details]
Bug 1345225 - Check if webRequest filters overlap with host permissions

https://reviewboard.mozilla.org/r/123698/#review129128

::: toolkit/components/extensions/ext-webRequest.js:90
(Diff revision 3)
> +      if (!context.extension.whiteListedHosts.overlapsFilter(filter2.urls) &&
> +          !context.extension.optionalOrigins.overlapsFilter(filter2.urls)) {

This is close, but I think we need something like `filter.urls.every(url => whitelisted.matches || optional.matches)`, or we'll admit an error for a filter that's partially covered by existing permissions and partially by optional permissions.
Attachment #8851399 - Flags: review?(kmaglione+bmo) → review+
Comment on attachment 8851399 [details]
Bug 1345225 - Check if webRequest filters overlap with host permissions

Asking for r? again, given my track record in this bug.. ;)
Attachment #8851399 - Flags: review+ → review?(kmaglione+bmo)
Comment on attachment 8851399 [details]
Bug 1345225 - Check if webRequest filters overlap with host permissions

https://reviewboard.mozilla.org/r/123698/#review130602

::: toolkit/modules/addons/MatchPattern.jsm:192
(Diff revision 4)
>  
> +  // Checks if every part of this filter overlaps with
> +  // some of the |hosts| or |optional| permissions MatchPatterns.
> +  overlapsPermissions(hosts, optional) {
> +    const perms = hosts.matchers.concat(optional.matchers);
> +    return this.matchers.length && this.matchers.every(f => perms.some(p => f.overlapsIgnoringPath(p)));

Nit: Can we make this `p => p.overlapsIgnoringPath(f)` instead? I find this a bit hard to parse. Also, probably s/\bf\b/matcher/ or `m` or something.
Attachment #8851399 - Flags: review?(kmaglione+bmo) → review+
Keywords: checkin-needed
Pushed by ihsiao@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b2356d602d2e
Check if webRequest filters overlap with host permissions r=kmag
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/b2356d602d2e
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Comment on attachment 8851399 [details]
Bug 1345225 - Check if webRequest filters overlap with host permissions

Approval Request Comment
> [Feature/Bug causing the regression]:
Not a regression, but a behavior change from bug 1311815 that impacts extension compat.

> [User impact if declined]:
Possible a high number of extensions might stop working if developers are not notified of the change.

[Is this code covered by automated tests?]:
Yes, solid coverage of existing code, plus new tests for this warning logic.

[Has the fix been verified in Nightly?]:
Yes.

[Needs manual test from QE? If yes, steps to reproduce]: 
No.

[List of other uplifts needed for the feature/fix]:
None.

[Is the change risky?]:
No.

[Why is the change risky/not risky?]:
It only adds a developer console warning in cases when extension will be impacted by the changed behavior.

[String changes made/needed]:
None.
Attachment #8851399 - Flags: approval-mozilla-aurora?
Comment on attachment 8851399 [details]
Bug 1345225 - Check if webRequest filters overlap with host permissions

Fix an extension compatibility issue and include tests. Aurora54+.
Attachment #8851399 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
has problems to apply to aurora

warning: conflicts while merging toolkit/modules/addons/MatchPattern.jsm! (edit, then use 'hg resolve --mark')
abort: unresolved conflicts, can't continue
(use 'hg resolve' and 'hg graft --continue')
Tomcats-MacBook-Pro-820:mozilla-central Tomcat$ hg revert -a
Flags: needinfo?(tomica)
(In reply to Carsten Book [:Tomcat] from comment #19)
> has problems to apply to aurora

Rebased for aurora.  Try push:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=1ddc58bdc248
Flags: needinfo?(tomica)
Comment on attachment 8851399 [details]
Bug 1345225 - Check if webRequest filters overlap with host permissions

Actually: https://treeherder.mozilla.org/#/jobs?repo=try&revision=1a4404eee884

Asking for checkin to aurora.
Attachment #8851399 - Flags: checkin?
Comment on attachment 8851399 [details]
Bug 1345225 - Check if webRequest filters overlap with host permissions

No need to request checkin on uplifts. There's bug queries for approved patches that haven't been uplifted yet.
Attachment #8851399 - Flags: checkin?
Needs a rebased patch for Aurora.
Flags: needinfo?(tomica)
I already rebased to aurora above, and I don't see any more conflicts:


(In reply to Tomislav Jovanovic :zombie from comment #20)
> Review request updated; see interdiff:
> https://reviewboard.mozilla.org/r/123698/diff/5-6/


(In reply to Tomislav Jovanovic :zombie from comment #21)
> Rebased for aurora.  Try push:


(In reply to Tomislav Jovanovic :zombie from comment #22)
> Actually:  https://treeherder.mozilla.org/#/jobs?repo=try&revision=1a4404eee884
> 
> Asking for checkin to aurora.
Flags: needinfo?(tomica)
Rebased patch for aurora.
Product: Toolkit → WebExtensions
You need to log in before you can comment on or make changes to this bug.