Closed Bug 1367529 Opened 7 years ago Closed 7 years ago

Require user interaction for downloads.open()

Categories

(WebExtensions :: General, enhancement, P2)

enhancement

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 1369782

People

(Reporter: mstriemer, Assigned: mstriemer)

References

Details

(Keywords: csectype-priv-escalation, sec-moderate, Whiteboard: Could allow malware or abuse of vulnerable applications)

An extension should only be able to call downloads.open() when initiated by a user interaction like a button click or shortcut command. If this is not the case then a user might not be able to tell why files are opening on their computer which may lead to security issues.

This is how Chrome works, as noted in a Chromium bug [1] but it is not documented.

[1] https://bugs.chromium.org/p/chromium/issues/detail?id=349715
Group: toolkit-core-security
See Also: → CVE-2017-7821
Andrew, I hear you might have some experience with detecting a user interaction. Do you have any examples of APIs that do this or know how we might check it in the downloads.open() code?
Flags: needinfo?(aswan)
Yeah, browser.permissions.request() can only be called in response to a user interaction.
The implementation is here:
http://searchfox.org/mozilla-central/source/toolkit/components/extensions/ext-c-permissions.js

But then we also have bug 1350151 to eliminate a bunch of the boilerplate for writing such apis.

Also, note that browser.downloads.open() requires a separate "downloads.open" manifest permission (in addition to "downloads") but we're not actually prompting separately for that permission.
Flags: needinfo?(aswan)
Whiteboard: Could allow malware or abuse of vulnerable applications
I filed a public bug since on its own this isn't a security issue. Closing as duplicate.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Product: Toolkit → WebExtensions
Group: toolkit-core-security
You need to log in before you can comment on or make changes to this bug.