1421383 - WebExtension can interfere with requests from about:newtab

Status: RESOLVED WORKSFORME

(WebExtensions :: General, defect)

Description

[rugk]

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
Build ID: 20171113102334

Steps to reproduce:

Sometimes NoScript blocks requests from about:newtab. The issue now is: Why can it do so at all? 

Because should not WebExtensions have no access to about:newtab as it is a Firefox-internal site? At least it looks as if they do not have, as all add-ons do not display any information about the site. Same with NoScript. It is labeled "NoScript" there and clicking on it takes you to the settings…

This continues Bug 1421095.


Actual results:

NoScript blocks request.

Note that I am not entirely sure it is about:newtab requesting it, but it seems to be something internal in Firefox.


Expected results:

AFAIK addons (WebExtensions) should not be able to interfere with Firefox-internal components, do they?

Comment 1

[Caitlin Neiman [:caitmuenster]]

Hi rugk, this has been added to the agenda for the December 19, 2017 WebExtensions APIs triage. Would you be able to join us? 

Here’s a quick overview of what to expect at the triage: 

* We normally spend 5 minutes per bug
* The more information in the bug, the better
* The goal of the triage is to give a general thumbs up or thumbs down on a proposal; we won't be going deep into implementation details

Relevant Links: 

* Wiki for the meeting: https://wiki.mozilla.org/WebExtensions/Triage#Next_Meeting
* Meeting agenda: https://docs.google.com/document/d/1KwfTum8Ow5w4afPAOvShpu_d_MNtahhOIqL3-Em9lLc/edit#
* Vision doc for WebExtensions: https://wiki.mozilla.org/WebExtensions/Vision

Comment 2

[Andy McKay]

Thanks for the bug, but this is by design. The only requests that we feel should be locked down are ones vital to the functioning of the browser, such as block list requests or OCSP requests.