1435933 - WebExtension can read files on filesystem with tabs.executeScript in NewTab

Status: RESOLVED DUPLICATE of bug 1431371

(WebExtensions :: Untriaged, defect)

Description

[FLR]

Attachment: ExecuteScriptNewTab.zip

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
Build ID: 20180128191252

Steps to reproduce:

In a browser_action popup of an extension with permissions "activeTab" and "<all_urls>", one can leverage activity streams features (about:newTab and about:home) to, for example, read content of privileged chrome, javascript, data, file, privileged about: URLS.


Actual results:

The attachment is a POC of an extension that can be used to access restricted URL content. The extension will add a question mark browser action icon. When the popup is opened when the active tab is either default about:newTab or about:home, filling the form field and clicking on the fetch button will do the following :
 - Open a new window to the specified URL
 - Take a screenshot of the opened window using tabs.captureVisibleTab
 - Close the opened window
 - Send the screenshot to a remote host


Expected results:

tabs.executeScript should be disabled for about:newTab and about:home has mentioned here : https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/tabs/executeScript

Comment 1

[:Gijs (he/him)]

:ddurst, AIUI you're involved with add-ons now - can you find someone to look into this? Thanks!

Comment 3

[FLR]

Since it's a duplicate is it possible to have access to BUG 1431371 thread ?