Closed Bug 1447933 Opened 6 years ago Closed 6 years ago

webRequest cannot easily distinguish requests originating from AppCache


(WebExtensions :: Request Handling, enhancement)

56 Branch
Not set


(Not tracked)



(Reporter: gertjan.franken, Unassigned)


User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36

Steps to reproduce:

We used an extensive set of web mechanisms that initiate cross-site requests to a blacklisted domain in order to test the thoroughness of ad blocking and privacy extensions developed for Firefox. We concluded that all of these extensions can be bypassed with at least one web mechanism. Apart from the incompleteness of some extensions, we found another cause to be the insufficient extension API and unclear parts of its specification that Firefox offers to its extensions developers.

We found that cross-site requests initiated by <link rel="shortcut icon" href=“…” /> to fetch the favicon cannot be intercepted through an onBeforeRequest listener by extensions. Although this request is only initiated on the first visit to the webpage containing this HTML tag, it does include all cookies of the referred domain.

Cross-site requests initiated through the AppCache API are intercepted by onBeforeRequest listeners, however, it is difficult for extension developers to distinct them from requests initiated by the browser’s background processes (e.g. address bar autocompletion). This is due to the tab identifier given to the listener having the value of -1 in both cases. On top of this, we found no clear specification explaining the value of the tab id associated with these requests. According to us, both the lack of a clear explanation and the difficulty to distinct background processes' requests from the API’s requests, are the most prominent reasons why only a few extensions were able to block requests initiated by the AppCache API.
Group: toolkit-core-security
Component: Untriaged → WebExtensions: Untriaged
Product: Firefox → Toolkit
Group: firefox-core-security
We already have bug 1433700 covering webRequest and favicons.

Which leaves AppCache.  Bug 1237782 is also relevant here but it doesn't seem to have much momentum.

I don't really think this bug needs to remain private...
Summary: Firefox’ extension API does not offer ad blocking and privacy extension developers the means to intercept all cross-site requests. → webRequest cannot easily requests originating from AppCache
Summary: webRequest cannot easily requests originating from AppCache → webRequest cannot easily distinguish requests originating from AppCache
Group: toolkit-core-security
AppCache is going away. We won't be doing any work to support it.
Closed: 6 years ago
Component: WebExtensions: Untriaged → WebExtensions: Request Handling
Resolution: --- → WONTFIX
Product: Toolkit → WebExtensions
You need to log in before you can comment on or make changes to this bug.