URLs with ports should either be rejected as "matches" patterns, or be matched properly

NEW
Unassigned

Status

()

Toolkit
WebExtensions: Compatibility
P5
normal
7 months ago
6 days ago

People

(Reporter: mstange, Unassigned)

Tracking

({dev-doc-needed})

Trunk
dev-doc-needed
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: triaged)

Attachments

(1 attachment)

938 bytes, application/x-xpinstall
Details
(Reporter)

Description

7 months ago
I had this piece of code in my manifest.json:

  "content_scripts": [
    {
      "all_frames": false,
      "js": ["content.js"],
      "matches": ["http://localhost:4242/*"],
      "run_at": "document_start"
    }
  ],

But the content script was not loaded in my http://localhost:4242/ tabs. It only started being loaded after I removed the ":4242" part from the match pattern.

If ports are not supported in the match pattern syntax, then they should be rejected with an error message.
For reference: just tested this in Chrome. The behavior there is that the port is allowed and works correctly. A permission of "http://localhost:4242/*" will not work at "http://localhost4241".

Updated

7 months ago
Priority: -- → P5
Whiteboard: triaged

Comment 2

2 months ago
This also affect APIs that use match patterns, such as the webRequest API.

Ports in URLs are not uncommon, so the expectations with regards to ports in match patterns should be documented at [1]. It is quite surprising that with an explicit port present, the match pattern stops matching anything in Firefox.

Note that Chrome has not documented anything about ports in [2], but as stated in comment 1, "the port is allowed and works correctly".

[1] https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Match_patterns
[2] https://developer.chrome.com/extensions/match_patterns
Component: WebExtensions: General → WebExtensions: Compatibility
Keywords: dev-doc-needed

Comment 3

6 days ago
Created attachment 8934276 [details]
matchport.xpi

Comment 4

6 days ago
I care about this, for making Greasemonkey work as users expect ( https://github.com/greasemonkey/greasemonkey/issues/2673 ).  And having a reason for it would be useful.  And I cant guarantee I understand exactly what the words posted above mean.  So:

Install attached extension.  Run e.g. `python -m SimpleHTTPServer 1234`, and anything (even an equivalent) to listen on port 80.

In Firefox, when navigating to http://localhost/ I get in my console:

    portfree ran at:
    Location http://localhost/
    portfree.js:1:1
    all ran at:
    Location http://localhost/
    all.js:1:1

And when navigating to http://localhost:1234/ I get:

    portfree ran at:
    Location http://localhost:1234/
    portfree.js:1:1
    all ran at:
    Location http://localhost:1234/
    all.js:1:1

The match pattern with a port is ignored.  Meanwhile in Chrome, the match pattern which specifies a port is rejected and the extension doesn't load.  So remove it, and I get:

    portfree ran at: Location {href: "http://localhost/", ancestorOrigins: DOMStringList, origin: "http://localhost", replace: ƒ, assign: ƒ, …}
    all.js:1 all ran at: Location {href: "http://localhost/", ancestorOrigins: DOMStringList, origin: "http://localhost", replace: ƒ, assign: ƒ, …}

And again, the same at http://localhost:1234/ (with the right details logged).

So match should match regardless of port in the URL.  Users should not specify a port in a match pattern.
You need to log in before you can comment on or make changes to this bug.