Closed Bug 1405415 Opened 7 years ago Closed 7 years ago

WebExtensions should be able to open privileged URLs

Categories

(WebExtensions :: General, defect)

Product:
WebExtensions
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1269456

People

(Reporter: MR_1993, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0
Build ID: 20170816210634

Steps to reproduce:

Try to open a 'privileged' URL using a WebExtensions tab API. E.g.

browser.tabs.create({"url": "file:///"});
browser.tabs.create({"url": "about:addons"});


Actual results:

No tabs are opened and "Illegal URL" errors are thrown.


Expected results:

Tabs should be opened with the given URLs. Since the URLs are privileged, the extension still shouldn't be able to run any content scripts on these tabs, inspect their contents or make XMLHttpRequests to their URLs.

This matches Chrome's behaviour, and the behaviour that users expect when they enter one of these URLs somewhere that they can normally treat like an address bar (e.g. [1]).

This isn't an obvious security concern, since opening the URLs only makes privileged actions available onscreen, rather than executing any.

[1]: https://github.com/philc/vimium/issues/2667
Component: Untriaged → WebExtensions: General
Product: Firefox → Toolkit
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Product: Toolkit → WebExtensions
You need to log in before you can comment on or make changes to this bug.