Closed
Bug 1443073
Opened 7 years ago
Closed 7 years ago
extensions can inject script into addons.mozilla.org by modifying requests to www.google-analytics.com
Categories
(WebExtensions :: General, enhancement)
WebExtensions
General
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: pauljt, Unassigned)
References
Details
(Keywords: sec-high)
In 1415644 we are prohibiting access for extensions to mess with this domain, but adding a domain blacklist. But we include google analytics on addons.mozilla.org, so an extension could inject script by modifying the response.
Looks like 1415644 is close to landing, so I'm filing this as a follow-up.
|
||
Updated•7 years ago
|
Group: core-security → toolkit-core-security
|
||
Comment 1•7 years ago
|
||
Shane can you take a look? This shouldn't work since the request originates from a domain that we block (AMO)
Flags: needinfo?(mixedpuppy)
|
||
Comment 2•7 years ago
|
||
Paul, was this something verified as possible to do?
At least with Bug 1415644 is shouldn't be, we check the loading principal against the blacklist.
https://searchfox.org/mozilla-central/source/toolkit/components/extensions/webrequest/ChannelWrapper.cpp#378
Flags: needinfo?(mixedpuppy) → needinfo?(ptheriault)
|
Reporter | |
Comment 3•7 years ago
|
||
Yep this bug was me misunderstanding what the change in 1415644 does. (see my comment here https://bugzilla.mozilla.org/show_bug.cgi?id=1415644#c64 )
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(ptheriault)
Resolution: --- → INVALID
|
||
Updated•7 years ago
|
Product: Toolkit → WebExtensions
|
|
||
Updated•5 years ago
|
Group: toolkit-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•