1346059 - browser.tabs.create can still open privileged urls

Status: RESOLVED INVALID

(WebExtensions :: General, defect)

Description

[Abdulrahman Alqabandi]

Attachment: open-my-page-button.zip (modified to show bug PoC)

User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Steps to reproduce:

According to 'https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/tabs/create'

"For security reasons, in Firefox, this may not be a privileged URL. "

Seems like we can trick it into opening about:newtab if we pass 'undefined' to the URL (check out attached poc) 

1. Go to 'about:debugging'
2. Click 'Load Temporary Add-on' 
3. Select the attached addon (after extracting to folder)




Actual results:

'about:newtab' opened


Expected results:

'about:blank' should have opened

Comment 1

[Abdulrahman Alqabandi]

Just to further prove this is unintended, if we set url to go to 'about:newtab' it will result in the following error:

[JavaScript Error: "Error: Illegal URL: about:newtab"]

Comment 2

[:Gijs (he/him)]

Kris, what can we do about this? I'm not sure about the background to the security restrictions here, but I also imagine that we want add-ons to be able to effectively say "open a new tab" and then have that have the same behaviour as opening a new tab normally does.

Comment 3

[Kris Maglione [:kmag]]

This is the intended behavior. It's not possible to explicitly open URLs like about:newtab, but new tabs created without a URL open with the default new tab page.

Comment 4

[:Gijs (he/him)]

(In reply to Kris Maglione [:kmag] from comment #3)
> This is the intended behavior. It's not possible to explicitly open URLs
> like about:newtab, but new tabs created without a URL open with the default
> new tab page.

So we can open this bug up (unmark sec-sensitive), right?

Comment 5

[Kris Maglione [:kmag]]

Yes