Open
Bug 1359284
Opened 7 years ago
Updated 2 years ago
Web pages are not allowed to access/load images from browser, but sometimes they load them
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
NEW
People
(Reporter: 684sigma, Unassigned)
References
Details
(Keywords: regression, Whiteboard: [domsecurity-backlog1])
Attachments
(2 files)
When testing Bug 1359282, I noticed an issue in Firefox Beta 52. It also happens in Firefox Beta 53, Nightly 55. Doesn't happen in ESR 45.
Local pages are not allowed to access/load images from extensions, but sometimes they load them. Here's how to reproduce the bug.
1. Install panorama
2. Start browser with e10s disabled
3. Open attached .html page. Cancel loading of the page.
4. Ctrl+Click on the reload button in address bar
Result: The page show images from extension
Expected: The page should always show images, or should always hide them
Each time the page doesn't show images, browser console displays this error:
Security Error: Content at file:///C:/.../tabview.html may not load or link to chrome://tabgroups/skin/edit-light.png.
Has STR: --- → yes
Keywords: regression
Updated•7 years ago
|
Component: Untriaged → Extension Compatibility
1. Install panorama.
2. Start browser with e10s disabled. Open, then close tab groups frame.
3. Open attached .html page. Cancel loading of the page.
4. Ctrl+Click on the reload button in address bar
Result: The page show images from extension
Expected: The page should always show images, or should always hide them
Mozregression-gui generaged this regression range:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=632811bf4b6e96b54709d125c298493d30576eb8&tochange=bf69c3219b5ef75454640e9eaf087a2650c0c0eb
->
1206961 – Use channel->AsyncOpen2() in image/imgLoader.cpp
https://bugzilla.mozilla.org/show_bug.cgi?id=1206961
Blocks: 1206961
Has Regression Range: --- → yes
Flags: needinfo?(ckerschb)
Summary: Local pages are not allowed to access/load images from extensions, but sometimes they load them → Web pages are not allowed to access/load images from extensions, but sometimes they load them
1. Start browser with e10s disabled.
2. Open this url, then loading of the page - data:text/html,<div style="width: 48px;height: 48px;background-image: url('chrome://mozapps/skin/plugins/contentPluginBlocked.png');"></div>
3. Ctrl+Click on the reload button in address bar
Result: The page show images from browser
Expected: The page should always show images, or should always hide them
Component: Extension Compatibility → Untriaged
Summary: Web pages are not allowed to access/load images from extensions, but sometimes they load them → Web pages are not allowed to access/load images from browser, but sometimes they load them
Correction: in all scenarios it's necessary to load image at least once. So completely accurate scenarios are described in Comment #1, Comment #3.
1. Start browser with e10s disabled.
2. Open this url - chrome://mozapps/skin/plugins/contentPluginBlocked.png
3. Open this url, then cancel loading of the page - data:text/html,<div style="width: 48px;height: 48px;background-image: url('chrome://mozapps/skin/plugins/contentPluginBlocked.png');"></div>
4. Ctrl+Click on the reload button in address bar
Result: The page show images from extension
Expected: The page should always show images, or should always hide them
Mozregression-gui generaged this regression range:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=632811bf4b6e96b54709d125c298493d30576eb8&tochange=bf69c3219b5ef75454640e9eaf087a2650c0c0eb
->
1206961 – Use channel->AsyncOpen2() in image/imgLoader.cpp
https://bugzilla.mozilla.org/show_bug.cgi?id=1206961
Updated•7 years ago
|
Component: Untriaged → DOM: Security
Product: Firefox → Core
Comment 4•7 years ago
|
||
(In reply to 684sigma from comment #3)
> Correction: in all scenarios it's necessary to load image at least once. So
> completely accurate scenarios are described in Comment #1, Comment #3.
>
> 1. Start browser with e10s disabled.
> 2. Open this url - chrome://mozapps/skin/plugins/contentPluginBlocked.png
> 3. Open this url, then cancel loading of the page - data:text/html,<div
> style="width: 48px;height: 48px;background-image:
> url('chrome://mozapps/skin/plugins/contentPluginBlocked.png');"></div>
> 4. Ctrl+Click on the reload button in address bar
>
> Result: The page show images from extension
> Expected: The page should always show images, or should always hide them
I can reproduce that problem. If you 'just' click reload it's still blocked, but if you click 'ctrl-click' it loads in the new tab. I suspect this is an artifact that we are not passing the principal from frontend to the backend code and use the fallback mechanism within docshell to generate a triggeringPrincipal. In fact loading that image should always be blocked because that particular one is not content accessible.
Most likely the problem will be fixed with Bug 1333030.
Flags: needinfo?(ckerschb)
Priority: -- → P2
Whiteboard: [domsecurity-active]
Updated•7 years ago
|
Assignee: nobody → ckerschb
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Comment 5•6 years ago
|
||
Moving to p3 because no activity for at least 1 year(s).
See https://github.com/mozilla/bug-handling/blob/master/policy/triage-bugzilla.md#how-do-you-triage for more information
Priority: P2 → P3
Updated•3 years ago
|
Assignee: ckerschb → nobody
Status: ASSIGNED → NEW
Whiteboard: [domsecurity-active] → [domsecurity-backlog1]
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•