webRequest cannot easily distinguish requests originating from AppCache

RESOLVED WONTFIX

Status

enhancement
RESOLVED WONTFIX
a year ago
10 months ago

People

(Reporter: gertjan.franken, Unassigned)

Tracking

56 Branch

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

a year ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36

Steps to reproduce:

We used an extensive set of web mechanisms that initiate cross-site requests to a blacklisted domain in order to test the thoroughness of ad blocking and privacy extensions developed for Firefox. We concluded that all of these extensions can be bypassed with at least one web mechanism. Apart from the incompleteness of some extensions, we found another cause to be the insufficient extension API and unclear parts of its specification that Firefox offers to its extensions developers.

We found that cross-site requests initiated by <link rel="shortcut icon" href=“…” /> to fetch the favicon cannot be intercepted through an onBeforeRequest listener by extensions. Although this request is only initiated on the first visit to the webpage containing this HTML tag, it does include all cookies of the referred domain.

Cross-site requests initiated through the AppCache API are intercepted by onBeforeRequest listeners, however, it is difficult for extension developers to distinct them from requests initiated by the browser’s background processes (e.g. address bar autocompletion). This is due to the tab identifier given to the listener having the value of -1 in both cases. On top of this, we found no clear specification explaining the value of the tab id associated with these requests. According to us, both the lack of a clear explanation and the difficulty to distinct background processes' requests from the API’s requests, are the most prominent reasons why only a few extensions were able to block requests initiated by the AppCache API.
Group: toolkit-core-security
Component: Untriaged → WebExtensions: Untriaged
Product: Firefox → Toolkit
Group: firefox-core-security
We already have bug 1433700 covering webRequest and favicons.

Which leaves AppCache.  Bug 1237782 is also relevant here but it doesn't seem to have much momentum.

I don't really think this bug needs to remain private...
Summary: Firefox’ extension API does not offer ad blocking and privacy extension developers the means to intercept all cross-site requests. → webRequest cannot easily requests originating from AppCache
Summary: webRequest cannot easily requests originating from AppCache → webRequest cannot easily distinguish requests originating from AppCache
Group: toolkit-core-security
AppCache is going away. We won't be doing any work to support it.
Status: UNCONFIRMED → RESOLVED
Last Resolved: a year ago
Component: WebExtensions: Untriaged → WebExtensions: Request Handling
Resolution: --- → WONTFIX

Updated

10 months ago
Product: Toolkit → WebExtensions
You need to log in before you can comment on or make changes to this bug.