Closed
Bug 1420360
Opened 7 years ago
Closed 7 years ago
Is this a bug that get any files by path when you have applied <all_urls> of permissions key?
Categories
(WebExtensions :: Untriaged, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 1420296
People
(Reporter: 626954412, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Build ID: 20171112125346
Steps to reproduce:
//In background script
~async function (){
var response =await fetch(
"file:///X:/path/to/file.ext",
{mode:'same-origin'}
);
console.log(await response.text());
}();
Actual results:
I can read any file on my computer by fetch API when I know the path and have <all_urls> permission.
see https://stackoverflow.com/questions/42108782/firefox-webextensions-get-local-files-content-by-path
And, It has used in some extensions. e.g. https://github.com/openstyles/stylus/blob/master/js/messaging.js#L382
Expected results:
It a feature? or a bug?
|
||
Updated•7 years ago
|
Group: toolkit-core-security
Component: Untriaged → WebExtensions: Untriaged
Product: Firefox → Toolkit
|
||
Updated•7 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
|
||
Updated•7 years ago
|
Group: firefox-core-security
|
||
Updated•7 years ago
|
Product: Toolkit → WebExtensions
|
|
||
Updated•4 years ago
|
Group: toolkit-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•