If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Extension generated blob cannot run inline javascript

RESOLVED INVALID

Status

()

Toolkit
WebExtensions: General
RESOLVED INVALID
3 months ago
10 days ago

People

(Reporter: Danny Lin, Unassigned)

Tracking

53 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 months ago
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:53.0) Gecko/20100101 Firefox/53.0
Build ID: 20170518000419

Steps to reproduce:

Run the above code in an extension page (e.g. options.html):

var content = '<script>alert("Hello world");</script>';
var blob = new Blob([content], {type: "text/html"});
var url = URL.createObjectURL(blob);
window.open(url);


Actual results:

The alert does not run.


Expected results:

The alert should run since a blob generated by an extension is not considered a extension page and chrome (or browser) is not executable in it.

This works in Chrome.

Updated

3 months ago
Component: Untriaged → WebExtensions: General
Product: Firefox → Toolkit
Extension blob URLs run with the same privileges as the document that created them, which means that they have the same CSP. And extension CSPs do not allow inline scripts.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 months ago
Resolution: --- → INVALID
(Reporter)

Comment 2

21 days ago
(In reply to Kris Maglione [:kmag] (long backlog; ping on IRC if you're blocked) from comment #1)
> Extension blob URLs run with the same privileges as the document that
> created them, which means that they have the same CSP. And extension CSPs do
> not allow inline scripts.

This behavior is different from Chromium (which extension blob URLs does not have extension privilege and CSP), and this behavior difference causes an incompatibility for extensions/addons. If there is no better rationale for "extension blob URLs run with the same privileges as the document that created them" (e.g. for security concerns), I think it'd better to make the behavior consistent with Chromium.
Duplicate of this bug: 1400196
You need to log in before you can comment on or make changes to this bug.