Cloned iframe in addon is blocked by CSP
Categories
(Core :: DOM: Security, defect, P5)
Tracking
()
Tracking | Status | |
---|---|---|
firefox59 | --- | affected |
People
(Reporter: calixte, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog])
Attachments
(1 file)
665 bytes,
application/gzip
|
Details |
In test-case.tar.gz, get foo.html and serve it on localhost Load the addon. And open http://localhost/foo.html, only the first and third iframes are correctly loaded, the second one is blocked because of CSP.
Comment 1•7 years ago
|
||
In the addon, they use "cloneNode(true)" to clone an iframe, then add it to the DOM. Looks like that when we use cloneNode we lose the fact that it comes from an add-on ?
Updated•7 years ago
|
Comment 2•7 years ago
|
||
Kris: is it Web Extension code that's tracking whether nodes are created by extensions and should bypass CSP?
Comment 3•7 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #2) > Kris: is it Web Extension code that's tracking whether nodes are created by > extensions and should bypass CSP? No, it's DOM code. I intentionally ignored the cloneNode case, and I'm still on the fence about whether we should handle it.
Comment 4•7 years ago
|
||
At least this should be documented somewhere. Is there a place where we documented the CSP exceptions to web extensions-inserted code ?
Comment 5•7 years ago
|
||
(In reply to Kris Maglione [:kmag] (long backlog; ping on IRC if you're blocked) from comment #3) > I intentionally ignored the cloneNode case, and I'm still on the fence about > whether we should handle it. Why wouldn't we allow it? It's still something the add-on is doing, and we allow the equivalent effect of the add-on inspecting the node and creating a new copy property by property.
Updated•6 years ago
|
Comment 6•4 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #5)
(In reply to Kris Maglione [:kmag] (long backlog; ping on IRC if you're
blocked) from comment #3)I intentionally ignored the cloneNode case, and I'm still on the fence about
whether we should handle it.Why wouldn't we allow it? It's still something the add-on is doing, and we
allow the equivalent effect of the add-on inspecting the node and creating a
new copy property by property.
Because it might mean an extension cloning an arbitrary node from a web page and accidentally giving it extra privileges. It might be reasonable to just copy the original origin principals when we clone the node, but even that would be different than explicitly copying the attributes, since the latter would always set the extension principal as the origin.
Updated•2 years ago
|
Description
•