browser.tabs.create can still open privileged urls

RESOLVED INVALID

Status

RESOLVED INVALID
2 years ago
3 months ago

People

(Reporter: qab, Unassigned)

Tracking

55 Branch

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
Created attachment 8845692 [details]
open-my-page-button.zip (modified to show bug PoC)

User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Steps to reproduce:

According to 'https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/tabs/create'

"For security reasons, in Firefox, this may not be a privileged URL. "

Seems like we can trick it into opening about:newtab if we pass 'undefined' to the URL (check out attached poc) 

1. Go to 'about:debugging'
2. Click 'Load Temporary Add-on' 
3. Select the attached addon (after extracting to folder)




Actual results:

'about:newtab' opened


Expected results:

'about:blank' should have opened
(Reporter)

Comment 1

2 years ago
Just to further prove this is unintended, if we set url to go to 'about:newtab' it will result in the following error:

[JavaScript Error: "Error: Illegal URL: about:newtab"]

Comment 2

2 years ago
Kris, what can we do about this? I'm not sure about the background to the security restrictions here, but I also imagine that we want add-ons to be able to effectively say "open a new tab" and then have that have the same behaviour as opening a new tab normally does.
Group: firefox-core-security → toolkit-core-security
Component: Untriaged → WebExtensions: General
Flags: needinfo?(kmaglione+bmo)
Product: Firefox → Toolkit
This is the intended behavior. It's not possible to explicitly open URLs like about:newtab, but new tabs created without a URL open with the default new tab page.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Flags: needinfo?(kmaglione+bmo)
Resolution: --- → INVALID

Comment 4

2 years ago
(In reply to Kris Maglione [:kmag] from comment #3)
> This is the intended behavior. It's not possible to explicitly open URLs
> like about:newtab, but new tabs created without a URL open with the default
> new tab page.

So we can open this bug up (unmark sec-sensitive), right?
Flags: needinfo?(kmaglione+bmo)
Yes
Flags: needinfo?(kmaglione+bmo)

Updated

2 years ago
Group: toolkit-core-security

Updated

3 months ago
Product: Toolkit → WebExtensions
You need to log in before you can comment on or make changes to this bug.