Web pages are not allowed to access/load images from browser, but sometimes they load them

ASSIGNED
Assigned to

Status

()

P3
normal
ASSIGNED
2 years ago
14 days ago

People

(Reporter: 684sigma, Assigned: ckerschb)

Tracking

({regression})

52 Branch
regression
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [domsecurity-active])

Attachments

(2 attachments)

(Reporter)

Description

2 years ago
Created attachment 8861265 [details]
ellipsis problem, by reporter.zip

When testing Bug 1359282, I noticed an issue in Firefox Beta 52. It also happens in Firefox Beta 53, Nightly 55. Doesn't happen in ESR 45.
Local pages are not allowed to access/load images from extensions, but sometimes they load them. Here's how to reproduce the bug.

1. Install panorama
2. Start browser with e10s disabled
3. Open attached .html page. Cancel loading of the page.
4. Ctrl+Click on the reload button in address bar

Result: The page show images from extension
Expected: The page should always show images, or should always hide them

Each time the page doesn't show images, browser console displays this error:
Security Error: Content at file:///C:/.../tabview.html may not load or link to chrome://tabgroups/skin/edit-light.png.
(Reporter)

Updated

2 years ago
Has STR: --- → yes
Keywords: regression
Component: Untriaged → Extension Compatibility
(Reporter)

Comment 1

2 years ago
Created attachment 8863065 [details]
web pages sometimes load images from extensions, by reporter.html

1. Install panorama.
2. Start browser with e10s disabled. Open, then close tab groups frame.
3. Open attached .html page. Cancel loading of the page.
4. Ctrl+Click on the reload button in address bar

Result: The page show images from extension
Expected: The page should always show images, or should always hide them

Mozregression-gui generaged this regression range:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=632811bf4b6e96b54709d125c298493d30576eb8&tochange=bf69c3219b5ef75454640e9eaf087a2650c0c0eb
->
1206961 – Use channel->AsyncOpen2() in image/imgLoader.cpp
https://bugzilla.mozilla.org/show_bug.cgi?id=1206961
(Reporter)

Updated

2 years ago
Blocks: 1206961
Has Regression Range: --- → yes
Flags: needinfo?(ckerschb)
Summary: Local pages are not allowed to access/load images from extensions, but sometimes they load them → Web pages are not allowed to access/load images from extensions, but sometimes they load them
(Reporter)

Comment 2

2 years ago
1. Start browser with e10s disabled.
2. Open this url, then loading of the page - data:text/html,<div style="width: 48px;height: 48px;background-image: url('chrome://mozapps/skin/plugins/contentPluginBlocked.png');"></div>
3. Ctrl+Click on the reload button in address bar

Result: The page show images from browser
Expected: The page should always show images, or should always hide them
Component: Extension Compatibility → Untriaged
Summary: Web pages are not allowed to access/load images from extensions, but sometimes they load them → Web pages are not allowed to access/load images from browser, but sometimes they load them
(Reporter)

Comment 3

2 years ago
Correction: in all scenarios it's necessary to load image at least once. So completely accurate scenarios are described in Comment #1, Comment #3.

1. Start browser with e10s disabled.
2. Open this url - chrome://mozapps/skin/plugins/contentPluginBlocked.png
3. Open this url, then cancel loading of the page - data:text/html,<div style="width: 48px;height: 48px;background-image: url('chrome://mozapps/skin/plugins/contentPluginBlocked.png');"></div>
4. Ctrl+Click on the reload button in address bar

Result: The page show images from extension
Expected: The page should always show images, or should always hide them


Mozregression-gui generaged this regression range:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=632811bf4b6e96b54709d125c298493d30576eb8&tochange=bf69c3219b5ef75454640e9eaf087a2650c0c0eb
->
1206961 – Use channel->AsyncOpen2() in image/imgLoader.cpp
https://bugzilla.mozilla.org/show_bug.cgi?id=1206961
Component: Untriaged → DOM: Security
Product: Firefox → Core
(Assignee)

Comment 4

2 years ago
(In reply to 684sigma from comment #3)
> Correction: in all scenarios it's necessary to load image at least once. So
> completely accurate scenarios are described in Comment #1, Comment #3.
> 
> 1. Start browser with e10s disabled.
> 2. Open this url - chrome://mozapps/skin/plugins/contentPluginBlocked.png
> 3. Open this url, then cancel loading of the page - data:text/html,<div
> style="width: 48px;height: 48px;background-image:
> url('chrome://mozapps/skin/plugins/contentPluginBlocked.png');"></div>
> 4. Ctrl+Click on the reload button in address bar
> 
> Result: The page show images from extension
> Expected: The page should always show images, or should always hide them

I can reproduce that problem. If you 'just' click reload it's still blocked, but if you click 'ctrl-click' it loads in the new tab. I suspect this is an artifact that we are not passing the principal from frontend to the backend code and use the fallback mechanism within docshell to generate a triggeringPrincipal. In fact loading that image should always be blocked because that particular one is not content accessible.

Most likely the problem will be fixed with Bug 1333030.
Flags: needinfo?(ckerschb)
Priority: -- → P2
Whiteboard: [domsecurity-active]
(Assignee)

Updated

2 years ago
Assignee: nobody → ckerschb
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Moving to p3 because no activity for at least 1 year(s).
See https://github.com/mozilla/bug-handling/blob/master/policy/triage-bugzilla.md#how-do-you-triage for more information
Priority: P2 → P3
You need to log in before you can comment on or make changes to this bug.