Closed
Bug 1392006
Opened 7 years ago
Closed 7 years ago
Unique data: URI opaque origin breaks extensions such as Easy Passwords
Categories
(Core :: DOM: Security, defect)
Core
DOM: Security
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: francois, Unassigned)
References
Details
Attachments
(1 file)
13.00 KB,
image/png
|
Details |
I discovered that "security.data_uri.unique_opaque_origin = true" breaks the Easy Passwords extension (https://addons.mozilla.org/en-US/firefox/addon/easy-passwords/) completely: the doorhanger is empty (see screenshot).
If we're not shipping this until 57, then I guess we don't have to worry about legacy extensions, but we should make sure that whatever is breaking this extension is not going to break in the Web Extensions world.
Steps to reproduce on Beta 56 (where legacy extensions are allowed):
1. create a new profile and install Easy Passwords
2. click on the "key" in the toolbar to confirm that the doorhanger works
3. enable security.data_uri.unique_opaque_origin in about:config
4. restart Firefox
5. click the "key" again in the toolbar (the Easy Passwords button)
Expected:
The same doorhanger shows up in steps 2 and 5.
Actual:
Doorhanger works fine in step 2 but is empty in step 5.
Comment 1•7 years ago
|
||
(In reply to François Marier [:francois] from comment #0)
> If we're not shipping this until 57, then I guess we don't have to worry
> about legacy extensions, but we should make sure that whatever is breaking
> this extension is not going to break in the Web Extensions world.
I am curious. How do we guarantee this?
My intuition is to test the Web Extensions manually.
But it seems the Easy Passwords does not provide a Web Extension version (maybe I am wrong?).
Comment 2•7 years ago
|
||
(In reply to Ethan Tseng [:ethan] from comment #1)
> I am curious. How do we guarantee this?
> My intuition is to test the Web Extensions manually.
> But it seems the Easy Passwords does not provide a Web Extension version
> (maybe I am wrong?).
Francois, I guess you suggested manual verification right? We are going to land the pref flip in the next couple days so it will be in FF57. That should extension developers (hopefully) provide enough time to fix extensions (if needed).
If you think we should start a manual verification process, then we should kick that off rather sooner than later. What do you think?
Flags: needinfo?(francois)
Reporter | ||
Comment 3•7 years ago
|
||
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #2)
> If you think we should start a manual verification process, then we should
> kick that off rather sooner than later. What do you think?
I think it would be good idea to know why it's breaking, in case it's something that we haven't seen before and that could be triggered in either chrome or web extensions.
Flags: needinfo?(francois)
Updated•7 years ago
|
Summary: Unique data: URI opaque origin breaks extensions → Unique data: URI opaque origin breaks extensions such as Easy Passwords
Comment 4•7 years ago
|
||
(In reply to François Marier [:francois] from comment #0)
> If we're not shipping this until 57, then I guess we don't have to worry
> about legacy extensions, but we should make sure that whatever is breaking
> this extension is not going to break in the Web Extensions world.
The last couple of versions of Easy Passwords have been Web Extensions; what version are you using? For some reason they have a compatibility max version of 56.0 on AMO so they don't install in Nightly, but I don't know why they'd have that cap. Is that an AMO rule because APIs are changing, or something Wladimir chose to do?
In any case, I don't see any obvious explicit use of data: urls, but who knows what's happening underneath. Would be especially scary if it's in our panel implementation, but I bet it's more likely to be in one of the JS libraries being included.
https://github.com/palant/easypasswords/
Flags: needinfo?(trev.moz)
Reporter | ||
Comment 5•7 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #4)
> The last couple of versions of Easy Passwords have been Web Extensions; what
> version are you using?
Are you sure it's a Web Extension?
I have 1.2.1, which appears to be the latest on AMO (https://addons.mozilla.org/en-US/firefox/addon/easy-passwords/versions/) and on Github (https://github.com/palant/easypasswords/releases), and it shows up as a legacy extension both on release and on Nightly.
Comment 6•7 years ago
|
||
Easy Passwords 1.2 and higher is currently an embedded Web Extension because of data migration. All the functionality is in the Web Extension part already however. I am going to publish a pure Web Extension soon, this won't change any functionality.
That said, Easy Passwords isn't using data: URIs explicitly, this appears to be something used internally by Web Extension APIs. I haven't been able to reproduce the issue on Firefox 57 however (with extensions.legacy.enabled set to true), so maybe only Firefox 56 is affected.
Flags: needinfo?(trev.moz)
Comment 7•7 years ago
|
||
I just uploaded Easy Passwords 1.2.2 to AMO (will hopefully be reviewed soon), it's a pure Web Extension now.
Reporter | ||
Comment 8•7 years ago
|
||
The new version of Easy Passwords works fine with security.data_uri.unique_opaque_origin = true.
Reporter | ||
Comment 9•7 years ago
|
||
(In reply to François Marier [:francois] from comment #8)
> The new version of Easy Passwords works fine with
> security.data_uri.unique_opaque_origin = true.
On Nightly 57.0a1 (2017-08-28) (64-bit) that is.
Reporter | ||
Comment 11•7 years ago
|
||
I suppose we don't care about fixing whatever is incompatible between data-uri blocking and legacy extensions at this point.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(francois)
Resolution: --- → WONTFIX
Comment 12•7 years ago
|
||
As I said, it's an incompatibility with Web Extensions, not legacy extensions. But whatever it is, it shouldn't matter if it only affects Firefox 56.
You need to log in
before you can comment on or make changes to this bug.
Description
•