Closed
Bug 1348465
Opened 7 years ago
Closed 7 years ago
[extension context] should not flag stylesheet iteration as a security issue
Categories
(WebExtensions :: Compatibility, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: cgarnant, Unassigned)
References
Details
Attachments
(1 file)
1.51 MB,
application/octet-stream
|
Details |
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0 Build ID: 20160701004039 Steps to reproduce: from Firefox Developer Edition - "SecurityError: The operation is insecure." When the following code is running in an extension and parsing ITS OWN STYLESHEETS - (i.e. it is not a content script parsing a tab's DOM)): the following is flagged. ... 14392 selector = attachments.toLowerCase(); 14393 stylesheets = document.styleSheets; 14394 for (j=0;j<stylesheets.length && isrule == false; j++) 14395 { 14396 stylesheet = stylesheets[j]; 14397 >>>> cssrules = stylesheet.cssRules; <<<<< 14398 for (k=0; k<cssrules.length && isrule == false; k++) 14399 { 14400 cssrule = cssrules[k]; 14401 if (cssrule.selectorText) 14402 { 14403 ruleselector = cssrule.selectorText.toLowerCase(); 14404 if (ruleselector === selector) 14405 isrule = true; 14406 } 14407 } 14408 } Actual results: Line 14397 should NOT be flagged as a security problem in the extension. [temporarily loaded extension in about:debugging] [It is correctly NOT flagged when this part of the sdk is run in the foreground, ie as a tab.] Expected results: This should not be flagged. this kills the extension/sdk. The extension works as expected in the latest versions of Chrome (Chrome 55,55_ (and in Chrome 26, 41, etc., etc.)
Reporter | ||
Comment 1•7 years ago
|
||
PS all resources are loaded via the manifest, including stylesheets. The extension is an SDK for a library that runs in a web page/browser/application tab. It only activates after a successful dialogue with the library in the tab page. If you need the exact test platform, I will forward a gzip of the extension directory tree, and a test application tree (but the latter will take a bit to package.) thx, Chrys
Comment 2•7 years ago
|
||
Probably not going to get very far without an example demonstrating the problem. That's a pretty generic error but I think in this case it means that we think the stylesheets come from a different context or origin. Since you say they are in fact same origin we'll need to see it in action to figure out where things get confused.
Flags: needinfo?(cgarnant)
Reporter | ||
Comment 3•7 years ago
|
||
Daniel: I am going to try to forward a copy of the extension (unpacked, must be loaded thru about:debugging) and two links to two test cases. The test cases are crude and under development and like Saturday Night Live, not yet ready for prime time. However, test case 1: is a simple tab widget demonstration test case 2: the sdkfirefly.html from the extension to run in a normal tab test procedure: open firefox developer edition: 1) nav to about:debugging 2) temporary load the extension (even though it says chrome version of manifest, this is what works now, the slightly older ff version of the manifest, (which used to load) will not load successfully anymore) 3) nav to www.dflibg.org/sdkfirefly.html the sdk gui will open and resize successfully because it is in the 'foreground' and not running as an extension, its sdk functionality is not available, but the resize and basic feature navigation work as they should. you will notice that the extension's icon will show up in the browser's address bar. 4) click on the green/yellow dfirefly extension icon in the address bar the extension gui, (the foreground is a copy) will open, but will not be able to resize the content panel because the library inside the extension can not access (as mentioned above) the style sheet inside the extension. thx chrys/cgarnant@att.net
Flags: needinfo?(cgarnant)
Reporter | ||
Comment 4•7 years ago
|
||
Daniel: The system will not let me forward an email to you with the extension .... dfirefly.0.7.10.6_chrome.tar.gz attached Please try downloading from www.dflibg.org/library
Reporter | ||
Comment 5•7 years ago
|
||
gzip copy of tar of extension directory tree i could not attach to email responding to 'infoneeded' thx chrys please feel free to call if need to walk through test
Reporter | ||
Comment 6•7 years ago
|
||
For the other test case, with the extension loaded, 1) nav to www.dflibg.org/apTabs.html [just to make sure we are in separate sandboxes and there is no cross-contamination, apTabs.html does not include the crucial stylesheet that sdkfirefly.html depends upon in the extension...] the 'app' still works ok, no surprise 2) click on the extension icon to open the sdk same problem - the extension can not iterate its own document stylesheets
Updated•7 years ago
|
Attachment #8850174 -
Attachment mime type: text/plain → application/octet-stream
Comment 7•7 years ago
|
||
This sounds more like a problem with the web extension context. Since it works in Chrome I'm putting this in the "compatibility" bucket.
Component: DOM: Security → WebExtensions: Compatibility
Flags: needinfo?(kmaglione+bmo)
Product: Core → Toolkit
Comment 8•7 years ago
|
||
This seems to work fine in current nightlies, but as far as I can tell, the problem is caused by the fact that the CSS file the <style> references doesn't actually exist.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Depends on: 1348442
Flags: needinfo?(kmaglione+bmo)
Resolution: --- → FIXED
Reporter | ||
Comment 9•7 years ago
|
||
(In reply to Kris Maglione [:kmag] from comment #8) > This seems to work fine in current nightlies, but as far as I can tell, the > problem is caused by the fact that the CSS file the <style> references > doesn't actually exist. Which reference do you think is missing? And if one were missing that should not be causing a 'security error' should it? I will try to track this, also and verify against a nightly build. This does, after all not cause a problem with chrome. But I will try to reverify - if you have any details to help I thank you in advance, Chrys
Reporter | ||
Comment 10•7 years ago
|
||
I loaded the most recent nightly and it all seems to work as expected there. So somewhere along the line this was addressed. But, Kris,if you did get an error line that said that the style object was empty, would you please forward that to me, thank you.
Comment 11•7 years ago
|
||
I didn't get an error that said the style object was empty. I just logged the URL of the StyleSheet object that was throwing the error, went to look at it, and found that it didn't exist.
Reporter | ||
Comment 12•7 years ago
|
||
Thank you. I was able to locate that and reload Dev Ed v49a and retest against that in addition to the earlier try on the nightly. And this time, it did not throw the prev exception on v49. I'm sorry to have wasted anyone's time. Again, my thanks.
Updated•6 years ago
|
Product: Toolkit → WebExtensions
You need to log in
before you can comment on or make changes to this bug.
Description
•