Closed
Bug 1405415
Opened 7 years ago
Closed 7 years ago
WebExtensions should be able to open privileged URLs
Categories
(WebExtensions :: General, defect)
WebExtensions
General
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 1269456
People
(Reporter: MR_1993, Unassigned)
Details
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Build ID: 20170816210634 Steps to reproduce: Try to open a 'privileged' URL using a WebExtensions tab API. E.g. browser.tabs.create({"url": "file:///"}); browser.tabs.create({"url": "about:addons"}); Actual results: No tabs are opened and "Illegal URL" errors are thrown. Expected results: Tabs should be opened with the given URLs. Since the URLs are privileged, the extension still shouldn't be able to run any content scripts on these tabs, inspect their contents or make XMLHttpRequests to their URLs. This matches Chrome's behaviour, and the behaviour that users expect when they enter one of these URLs somewhere that they can normally treat like an address bar (e.g. [1]). This isn't an obvious security concern, since opening the URLs only makes privileged actions available onscreen, rather than executing any. [1]: https://github.com/philc/vimium/issues/2667
Updated•7 years ago
|
Component: Untriaged → WebExtensions: General
Product: Firefox → Toolkit
Updated•7 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Updated•6 years ago
|
Product: Toolkit → WebExtensions
You need to log in
before you can comment on or make changes to this bug.
Description
•