Open Bug 1359284 Opened 7 years ago Updated 2 years ago

Web pages are not allowed to access/load images from browser, but sometimes they load them

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Version:
52 Branch
Type:
defect

Tracking

()

People

(Reporter: 684sigma, Unassigned)

References

Details

(Keywords: regression, Whiteboard: [domsecurity-backlog1])

Attachments

(2 files)

ellipsis problem, by reporter.zip
53.73 KB, application/zip
Details
web pages sometimes load images from extensions, by reporter.html
145 bytes, text/html
Details 
When testing Bug 1359282, I noticed an issue in Firefox Beta 52. It also happens in Firefox Beta 53, Nightly 55. Doesn't happen in ESR 45.
Local pages are not allowed to access/load images from extensions, but sometimes they load them. Here's how to reproduce the bug.

1. Install panorama
2. Start browser with e10s disabled
3. Open attached .html page. Cancel loading of the page.
4. Ctrl+Click on the reload button in address bar

Result: The page show images from extension
Expected: The page should always show images, or should always hide them

Each time the page doesn't show images, browser console displays this error:
Security Error: Content at file:///C:/.../tabview.html may not load or link to chrome://tabgroups/skin/edit-light.png.
Has STR: --- → yes
Keywords: regression
Component: Untriaged → Extension Compatibility
1. Install panorama.
2. Start browser with e10s disabled. Open, then close tab groups frame.
3. Open attached .html page. Cancel loading of the page.
4. Ctrl+Click on the reload button in address bar

Result: The page show images from extension
Expected: The page should always show images, or should always hide them

Mozregression-gui generaged this regression range:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=632811bf4b6e96b54709d125c298493d30576eb8&tochange=bf69c3219b5ef75454640e9eaf087a2650c0c0eb
->
1206961 – Use channel->AsyncOpen2() in image/imgLoader.cpp
https://bugzilla.mozilla.org/show_bug.cgi?id=1206961
Blocks: 1206961
Has Regression Range: --- → yes
Flags: needinfo?(ckerschb)
Summary: Local pages are not allowed to access/load images from extensions, but sometimes they load them → Web pages are not allowed to access/load images from extensions, but sometimes they load them
1. Start browser with e10s disabled.
2. Open this url, then loading of the page - data:text/html,<div style="width: 48px;height: 48px;background-image: url('chrome://mozapps/skin/plugins/contentPluginBlocked.png');"></div>
3. Ctrl+Click on the reload button in address bar

Result: The page show images from browser
Expected: The page should always show images, or should always hide them
Component: Extension Compatibility → Untriaged
Summary: Web pages are not allowed to access/load images from extensions, but sometimes they load them → Web pages are not allowed to access/load images from browser, but sometimes they load them
Correction: in all scenarios it's necessary to load image at least once. So completely accurate scenarios are described in Comment #1, Comment #3.

1. Start browser with e10s disabled.
2. Open this url - chrome://mozapps/skin/plugins/contentPluginBlocked.png
3. Open this url, then cancel loading of the page - data:text/html,<div style="width: 48px;height: 48px;background-image: url('chrome://mozapps/skin/plugins/contentPluginBlocked.png');"></div>
4. Ctrl+Click on the reload button in address bar

Result: The page show images from extension
Expected: The page should always show images, or should always hide them


Mozregression-gui generaged this regression range:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=632811bf4b6e96b54709d125c298493d30576eb8&tochange=bf69c3219b5ef75454640e9eaf087a2650c0c0eb
->
1206961 – Use channel->AsyncOpen2() in image/imgLoader.cpp
https://bugzilla.mozilla.org/show_bug.cgi?id=1206961
Component: Untriaged → DOM: Security
Product: Firefox → Core
(In reply to 684sigma from comment #3)
> Correction: in all scenarios it's necessary to load image at least once. So
> completely accurate scenarios are described in Comment #1, Comment #3.
> 
> 1. Start browser with e10s disabled.
> 2. Open this url - chrome://mozapps/skin/plugins/contentPluginBlocked.png
> 3. Open this url, then cancel loading of the page - data:text/html,<div
> style="width: 48px;height: 48px;background-image:
> url('chrome://mozapps/skin/plugins/contentPluginBlocked.png');"></div>
> 4. Ctrl+Click on the reload button in address bar
> 
> Result: The page show images from extension
> Expected: The page should always show images, or should always hide them

I can reproduce that problem. If you 'just' click reload it's still blocked, but if you click 'ctrl-click' it loads in the new tab. I suspect this is an artifact that we are not passing the principal from frontend to the backend code and use the fallback mechanism within docshell to generate a triggeringPrincipal. In fact loading that image should always be blocked because that particular one is not content accessible.

Most likely the problem will be fixed with Bug 1333030.
Flags: needinfo?(ckerschb)
Priority: -- → P2
Whiteboard: [domsecurity-active]
Assignee: nobody → ckerschb
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Moving to p3 because no activity for at least 1 year(s).
See https://github.com/mozilla/bug-handling/blob/master/policy/triage-bugzilla.md#how-do-you-triage for more information
Priority: P2 → P3
Assignee: ckerschb → nobody
Status: ASSIGNED → NEW
Whiteboard: [domsecurity-active] → [domsecurity-backlog1]
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: