Closed
Bug 1367529
Opened 7 years ago
Closed 7 years ago
Require user interaction for downloads.open()
Categories
(WebExtensions :: General, enhancement, P2)
WebExtensions
General
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 1369782
People
(Reporter: mstriemer, Assigned: mstriemer)
References
Details
(Keywords: csectype-priv-escalation, sec-moderate, Whiteboard: Could allow malware or abuse of vulnerable applications)
An extension should only be able to call downloads.open() when initiated by a user interaction like a button click or shortcut command. If this is not the case then a user might not be able to tell why files are opening on their computer which may lead to security issues. This is how Chrome works, as noted in a Chromium bug [1] but it is not documented. [1] https://bugs.chromium.org/p/chromium/issues/detail?id=349715
Assignee | ||
Updated•7 years ago
|
Group: toolkit-core-security
Updated•7 years ago
|
See Also: → CVE-2017-7821
Assignee | ||
Comment 1•7 years ago
|
||
Andrew, I hear you might have some experience with detecting a user interaction. Do you have any examples of APIs that do this or know how we might check it in the downloads.open() code?
Flags: needinfo?(aswan)
Comment 2•7 years ago
|
||
Yeah, browser.permissions.request() can only be called in response to a user interaction. The implementation is here: http://searchfox.org/mozilla-central/source/toolkit/components/extensions/ext-c-permissions.js But then we also have bug 1350151 to eliminate a bunch of the boilerplate for writing such apis. Also, note that browser.downloads.open() requires a separate "downloads.open" manifest permission (in addition to "downloads") but we're not actually prompting separately for that permission.
Flags: needinfo?(aswan)
Updated•7 years ago
|
Keywords: csectype-priv-escalation,
sec-moderate
Whiteboard: Could allow malware or abuse of vulnerable applications
Assignee | ||
Comment 3•7 years ago
|
||
I filed a public bug since on its own this isn't a security issue. Closing as duplicate.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Updated•6 years ago
|
Product: Toolkit → WebExtensions
Updated•4 years ago
|
Group: toolkit-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•