Closed Bug 1348465 Opened 7 years ago Closed 7 years ago

[extension context] should not flag stylesheet iteration as a security issue

Categories

(WebExtensions :: Compatibility, defect)

Product:
WebExtensions
Component:
Compatibility
Version:
49 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: cgarnant, Unassigned)

References

Details

Attachments

(1 file)

extension where access by extension to stylesheet contained in the extension is blocked
1.51 MB, application/octet-stream
Details 
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0
Build ID: 20160701004039

Steps to reproduce:

from Firefox Developer Edition -
"SecurityError: The operation is insecure."
When the following code is running in an extension and parsing ITS OWN STYLESHEETS - (i.e. it is not a content script parsing a tab's DOM)):
the following is flagged.
                          ...
14392                  selector = attachments.toLowerCase();
14393                  stylesheets = document.styleSheets;
14394                  for (j=0;j<stylesheets.length && isrule == false; j++)
14395                      {
14396                      stylesheet = stylesheets[j];
14397    >>>>                 cssrules = stylesheet.cssRules;   <<<<<
14398                      for (k=0; k<cssrules.length && isrule == false; k++)
14399                           {
14400                           cssrule = cssrules[k];
14401                           if (cssrule.selectorText)
14402                              {
14403                              ruleselector = cssrule.selectorText.toLowerCase();
14404                              if (ruleselector === selector)
14405                                  isrule = true;
14406                              }
14407                          }
14408                      }


Actual results:

Line 14397 should NOT be flagged as a security problem in the extension.
[temporarily loaded extension in about:debugging]
[It is correctly NOT flagged when this part of the sdk is run in the foreground,
ie as a tab.]


Expected results:

This should not be flagged. this kills the extension/sdk.
The extension works as expected in the latest versions of Chrome (Chrome 55,55_
(and in Chrome 26, 41, etc., etc.)
PS all resources are loaded via the manifest, including stylesheets.

The extension is an SDK for a library that runs in a web page/browser/application tab.
It only activates after a successful dialogue with the library in the tab page.
If you need the exact test platform, I will forward a gzip of the extension directory
tree, and a test application tree (but the latter will take a bit to package.)
thx, Chrys
Component: Untriaged → DOM: Security
Product: Firefox → Core
Probably not going to get very far without an example demonstrating the problem. That's a pretty generic error but I think in this case it means that we think the stylesheets come from a different context or origin. Since you say they are in fact same origin we'll need to see it in action to figure out where things get confused.
Flags: needinfo?(cgarnant)
Daniel:
I am going to try to forward a copy of the extension (unpacked, must be loaded thru about:debugging)
and two links to two test cases.  The test cases are crude and under development and like Saturday Night Live,
not yet ready for prime time. However,
test case 1: is a simple tab widget demonstration
test case 2: the sdkfirefly.html from the extension to run in a normal tab

test procedure:
open firefox developer edition:

1) nav to about:debugging
2) temporary load the extension   (even though it says chrome version of manifest, this is what works now, the slightly
                                   older ff version of the manifest, (which used to load) will not load successfully anymore)
3) nav to www.dflibg.org/sdkfirefly.html

the sdk gui will open and resize successfully
because it is in the 'foreground' and not running as an extension, its sdk functionality is not available, but
the resize and basic feature navigation work as they should.

you will notice that the extension's icon will show up in the browser's address bar.
4) click on the green/yellow dfirefly extension icon in the address bar

the extension gui, (the foreground is a copy) will open, but will not be able to resize the
content panel because the library inside the extension can not access (as mentioned above) the
style sheet inside the extension.

thx chrys/cgarnant@att.net
Flags: needinfo?(cgarnant)
Daniel:
The system will not let me forward an email to you with the extension ....
dfirefly.0.7.10.6_chrome.tar.gz attached
Please try downloading from www.dflibg.org/library
gzip copy of tar of extension directory tree i could not attach to email responding to 'infoneeded'
thx chrys
please feel free to call if
need to walk through test
For the other test case,
with the extension loaded,
1) nav to www.dflibg.org/apTabs.html

   [just to make sure we are in separate sandboxes and there is no cross-contamination, apTabs.html does not
   include the crucial stylesheet that sdkfirefly.html depends upon in the extension...]

   the 'app' still works ok, no surprise
2) click on the extension icon to open the sdk
   same problem - the extension can not iterate its own document stylesheets
Attachment #8850174 - Attachment mime type: text/plain → application/octet-stream
This sounds more like a problem with the web extension context. Since it works in Chrome I'm putting this in the "compatibility" bucket.
Component: DOM: Security → WebExtensions: Compatibility
Flags: needinfo?(kmaglione+bmo)
Product: Core → Toolkit
This seems to work fine in current nightlies, but as far as I can tell, the problem is caused by the fact that the CSS file the <style> references doesn't actually exist.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Depends on: 1348442
Flags: needinfo?(kmaglione+bmo)
Resolution: --- → FIXED
(In reply to Kris Maglione [:kmag] from comment #8)
> This seems to work fine in current nightlies, but as far as I can tell, the
> problem is caused by the fact that the CSS file the <style> references
> doesn't actually exist.

Which reference do you think is missing? And if one were missing that should not be causing a 'security error' should it?
I will try to track this, also and verify against a nightly build.
This does, after all not cause a problem with chrome.
But I will try to reverify - if you have any details to help I thank you in advance, Chrys
I loaded the most recent nightly and it all seems to work as expected there.  So somewhere along the line this
was addressed.  But, Kris,if you did get an error line that said that the style object was empty, would you please
forward that to me, thank you.
I didn't get an error that said the style object was empty. I just logged the URL of the StyleSheet object that was throwing the error, went to look at it, and found that it didn't exist.
Thank you.  I was able to locate that and reload Dev Ed v49a and retest against that in addition to the earlier try on the nightly. And this time, it did not throw the prev exception on v49.
I'm sorry to have wasted anyone's time. Again, my thanks.
Product: Toolkit → WebExtensions
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: