Web pages are not allowed to access/load images from browser, but sometimes they load them

ASSIGNED
Assigned to

Status

()

Core
DOM: Security
P2
normal
ASSIGNED
7 months ago
7 months ago

People

(Reporter: 684sigma, Assigned: ckerschb)

Tracking

({regression})

52 Branch
regression
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [domsecurity-active])

Attachments

(2 attachments)

(Reporter)

Description

7 months ago
Created attachment 8861265 [details]
ellipsis problem, by reporter.zip

When testing Bug 1359282, I noticed an issue in Firefox Beta 52. It also happens in Firefox Beta 53, Nightly 55. Doesn't happen in ESR 45.
Local pages are not allowed to access/load images from extensions, but sometimes they load them. Here's how to reproduce the bug.

1. Install panorama
2. Start browser with e10s disabled
3. Open attached .html page. Cancel loading of the page.
4. Ctrl+Click on the reload button in address bar

Result: The page show images from extension
Expected: The page should always show images, or should always hide them

Each time the page doesn't show images, browser console displays this error:
Security Error: Content at file:///C:/.../tabview.html may not load or link to chrome://tabgroups/skin/edit-light.png.
(Reporter)

Updated

7 months ago
Has STR: --- → yes
Keywords: regression

Updated

7 months ago
Component: Untriaged → Extension Compatibility
(Reporter)

Comment 1

7 months ago
Created attachment 8863065 [details]
web pages sometimes load images from extensions, by reporter.html

1. Install panorama.
2. Start browser with e10s disabled. Open, then close tab groups frame.
3. Open attached .html page. Cancel loading of the page.
4. Ctrl+Click on the reload button in address bar

Result: The page show images from extension
Expected: The page should always show images, or should always hide them

Mozregression-gui generaged this regression range:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=632811bf4b6e96b54709d125c298493d30576eb8&tochange=bf69c3219b5ef75454640e9eaf087a2650c0c0eb
->
1206961 – Use channel->AsyncOpen2() in image/imgLoader.cpp
https://bugzilla.mozilla.org/show_bug.cgi?id=1206961
(Reporter)

Updated

7 months ago
Blocks: 1206961
Has Regression Range: --- → yes
Flags: needinfo?(ckerschb)
Summary: Local pages are not allowed to access/load images from extensions, but sometimes they load them → Web pages are not allowed to access/load images from extensions, but sometimes they load them
(Reporter)

Comment 2

7 months ago
1. Start browser with e10s disabled.
2. Open this url, then loading of the page - data:text/html,<div style="width: 48px;height: 48px;background-image: url('chrome://mozapps/skin/plugins/contentPluginBlocked.png');"></div>
3. Ctrl+Click on the reload button in address bar

Result: The page show images from browser
Expected: The page should always show images, or should always hide them
Component: Extension Compatibility → Untriaged
Summary: Web pages are not allowed to access/load images from extensions, but sometimes they load them → Web pages are not allowed to access/load images from browser, but sometimes they load them
(Reporter)

Comment 3

7 months ago
Correction: in all scenarios it's necessary to load image at least once. So completely accurate scenarios are described in Comment #1, Comment #3.

1. Start browser with e10s disabled.
2. Open this url - chrome://mozapps/skin/plugins/contentPluginBlocked.png
3. Open this url, then cancel loading of the page - data:text/html,<div style="width: 48px;height: 48px;background-image: url('chrome://mozapps/skin/plugins/contentPluginBlocked.png');"></div>
4. Ctrl+Click on the reload button in address bar

Result: The page show images from extension
Expected: The page should always show images, or should always hide them


Mozregression-gui generaged this regression range:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=632811bf4b6e96b54709d125c298493d30576eb8&tochange=bf69c3219b5ef75454640e9eaf087a2650c0c0eb
->
1206961 – Use channel->AsyncOpen2() in image/imgLoader.cpp
https://bugzilla.mozilla.org/show_bug.cgi?id=1206961

Updated

7 months ago
Component: Untriaged → DOM: Security
Product: Firefox → Core
(Assignee)

Comment 4

7 months ago
(In reply to 684sigma from comment #3)
> Correction: in all scenarios it's necessary to load image at least once. So
> completely accurate scenarios are described in Comment #1, Comment #3.
> 
> 1. Start browser with e10s disabled.
> 2. Open this url - chrome://mozapps/skin/plugins/contentPluginBlocked.png
> 3. Open this url, then cancel loading of the page - data:text/html,<div
> style="width: 48px;height: 48px;background-image:
> url('chrome://mozapps/skin/plugins/contentPluginBlocked.png');"></div>
> 4. Ctrl+Click on the reload button in address bar
> 
> Result: The page show images from extension
> Expected: The page should always show images, or should always hide them

I can reproduce that problem. If you 'just' click reload it's still blocked, but if you click 'ctrl-click' it loads in the new tab. I suspect this is an artifact that we are not passing the principal from frontend to the backend code and use the fallback mechanism within docshell to generate a triggeringPrincipal. In fact loading that image should always be blocked because that particular one is not content accessible.

Most likely the problem will be fixed with Bug 1333030.
Flags: needinfo?(ckerschb)
Priority: -- → P2
Whiteboard: [domsecurity-active]
(Assignee)

Updated

7 months ago
Assignee: nobody → ckerschb
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
You need to log in before you can comment on or make changes to this bug.