Closed Bug 1371793 Opened 4 years ago Closed 3 years ago

Allow the creation of tabs with about: URLs

Categories

(WebExtensions :: Untriaged, enhancement, P3)

enhancement

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 1269456

People

(Reporter: andy+bugzilla, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [design-decision-needed] triaged, security input needed)

Currently you can update, close, move and interact with about: pages using the tab API. The only about: page you can create is the newtab, if tab.create({}) is called, it defaults to calling the new tab.

I'd like to see if we can allow these. Some concerns I've heard so far are: 

* This makes it hard to change in the future if things change. I'm not concerned about this, Firefox has had about: pages for a long time and they change rarely. This should not block any serious Firefox development. And since they exist and appear in APIs already, that problem already exists.

* The page URL can contain URLs or fragments and we aren't sure how well sanitised those are. Is it possible to do something like about:reader?url="javascript(...)". Don't know. For that reason I'm pinging security for some help.

* It makes social engineering a little easier if an add-on can open about:config, or about:addons and try to encourage users to do things they really shouldn't.

Its possible that a small number of pages could be added to an approval list, rather than everything. For example about:reader or about:addons are popular.

If there's problems with some of these concerns, we could add in specific APIs for the most common pages. For example: tab.createReaderPage. You can already do something like this with runtime.openOptionsPage which open about:addons to your add-on.

https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/runtime/openOptionsPage
> If there's problems with some of these concerns, we could add in specific
> APIs for the most common pages. For example: tab.createReaderPage. You can
> already do something like this with runtime.openOptionsPage which open
> about:addons to your add-on.

We can special case some handling for those in tabs.create if necessary.
Whiteboard: [design-decision-needed] triaged, security input needed
I've found that you can actually link to any about: page that has nsIAboutModule::MAKE_LINKABLE set, which makes this a little better than comment 0 implies. However, it's still annoying when you can't link to some about: pages... maybe adding a WebExtension permission to allow this across the board would help?
(In reply to Andy McKay [:andym] from comment #0)
> Currently you can update, close, move and interact with about: pages using
> the tab API. The only about: page you can create is the newtab, if
> tab.create({}) is called, it defaults to calling the new tab.

Your language here is a little vague - what do you mean by "update" in this context. I thought web extensions had very limited interaction with any tab which isn't web content privileged.  From MDN:
"...to use tabs.executeScript() or tabs.insertCSS() you must have the host permission for the tab"

And you can't get the host permission for about: pages (which is good). But I'm not sure about other ones. For example, tabs.captureVisibleTab() could be used to capture sensitive information from about:pages. 

> 
> * The page URL can contain URLs or fragments and we aren't sure how well
> sanitised those are. Is it possible to do something like
> about:reader?url="javascript(...)". Don't know. For that reason I'm pinging
> security for some help.

I don't know of any cases that are directly exploitable like this, but there might be. There are certainly a lot of dangerous pages like this, e.g. about:config?filter=sandbox.content.level

If we do allow an API I dont see any reason not to filter based on a whitelist which prohibits use of query string.

> * It makes social engineering a little easier if an add-on can open
> about:config, or about:addons and try to encourage users to do things they
> really shouldn't.
Im not super worried about that - if social engineering is your goal, convincing the user to install an extension which and THEN doing your bidding adds an additional step. Its easier just to tell the user to hit command+r and then paste a command.

> 
> Its possible that a small number of pages could be added to an approval
> list, rather than everything. For example about:reader or about:addons are
> popular.

If we DO want to do this, then I would strongly advocate for this whitelist approach. I would also advocate that we limit the use case (ie dont allow stuff like <a href=about:preferences>, only allow it for something like tabs.create(). The risks presented by allow the user to simply open a subset of about pages, would seem to be much less than allowing for more complex interaction.

Do we have a list of the common use cases? What types of about:pages are people trying to open and for what purpose?
(In reply to Paul Theriault [:pauljt] from comment #3)
> (In reply to Andy McKay [:andym] from comment #0)
> > Currently you can update, close, move and interact with about: pages using
> > the tab API. The only about: page you can create is the newtab, if
> > tab.create({}) is called, it defaults to calling the new tab.
> 
> Your language here is a little vague - what do you mean by "update" in this
> context. I thought web extensions had very limited interaction with any tab
> which isn't web content privileged.  From MDN:
> "...to use tabs.executeScript() or tabs.insertCSS() you must have the host
> permission for the tab"

Sorry. You are correct, you can't change the actual contents because tabs.executeScript won't allow you. But because the page is just a tab, you can call most other tab APIs. For example: calling tabs.remove on the tab, or calling the tabs.update API on it.

> > Its possible that a small number of pages could be added to an approval
> > list, rather than everything. For example about:reader or about:addons are
> > popular.
> 
> If we DO want to do this, then I would strongly advocate for this whitelist
> approach. I would also advocate that we limit the use case (ie dont allow
> stuff like <a href=about:preferences>, only allow it for something like
> tabs.create(). The risks presented by allow the user to simply open a subset
> of about pages, would seem to be much less than allowing for more complex
> interaction.
> 
> Do we have a list of the common use cases? What types of about:pages are
> people trying to open and for what purpose?

Sounds good to me. There's a pretty limited subset, about:reader is the most common one (and linked to from this bug), about:addons, about:downloads... and that's really about it. We could probably just evaluate each one as the request comes up.
(In reply to Paul Theriault [:pauljt] from comment #3)
> Do we have a list of the common use cases? What types of about:pages are
> people trying to open and for what purpose?

(In reply to Andy McKay [:andym] from comment #4)
There's a pretty limited subset, about:reader is the most
> common one (and linked to from this bug), about:addons, about:downloads...
> and that's really about it. We could probably just evaluate each one as the
> request comes up.

I need to open about:sync-tabs in New Tab Override because some people want to use this as new tab page. It was implemented in New Tab Override as pre defined option because there was more than one request to do that. I don't have stats how many people use this option but it's a use case to see the synced tabs as new tab page.
Please note that about:sync tabs was removed in Firefox 55 as per bug 1365273.
Oh, I didn't know that. Thank you for the information. So you can ignore comment 5. ;)
Priority: -- → P3
Could we please also add about:newtab to the list of allowed about: pages to open the default new tab page (aka Activity Stream in Firefox 57)?

Use case for my add-on New Tab Override: Users have different options for the new tab page and one option is to use the default new tab page without disabling or uninstalling the add-on.

It's very bad for user retention if users have to uninstall or disable the add-on to try and compare the different options. Also I don't want to explain to the users as part of the add-on that and how they have to uninstall or disable the add-on to enable the default new tab page, that's too much information for the user interface.

At the moment I don't see a way with WebExtensions to use the default new tab page without uninstalling or disabling the add-on which is overriding the new tab page. Or do I overlook something?
Flags: needinfo?(amckay)
Seems reasonable to me, but leaving for the design-decision-needed meeting.
Flags: needinfo?(amckay)
A dupe of Bug 1269456?
Depends on: 1390035
Was this bug ever triaged (or maybe design-decision-needed is a separate meeting?)?

This bug is relevant to my project[1] and I am willing to work on it (and it's probably easier to ship than the keyboard API :)

[1]: https://github.com/cmcaine/tridactyl/pull/8#issuecomment-333365259
Blocks 1403295

We'd like to support this as part of the support work for the keyboard API/alternative UIs. In particular we want to support opening about:addons and about:downloads, but the more the merrier.

needinfo'ing aswan for support.
Flags: needinfo?(aswan)
Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(aswan)
Resolution: --- → DUPLICATE
Duplicate of bug: 1269456
This bug is about opening a new tab for the "about" functions, not necessarily relative to extensions.  Bug #1269456 is specifically about extensions.  Thus, this is not a duplicate of bug #1269456.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
> This bug is about opening a new tab for the "about" functions, not necessarily relative to extensions.

Where are you seeing that? Comment 0 and every subsequent comment from what I can see are specific to WebExtensions.
Status: REOPENED → RESOLVED
Closed: 3 years ago3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1269456
Product: Toolkit → WebExtensions
You need to log in before you can comment on or make changes to this bug.