Closed Bug 1450649 Opened 7 years ago Closed 7 years ago

Extension cannot fetch data from addons.mozilla.org because the host permissions are not applied

Categories

(WebExtensions :: Request Handling, defect)

Product:
WebExtensions
Component:
Request Handling
Version:
60 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(firefox59 unaffected, firefox60 affected, firefox61 affected)

Status:
RESOLVED WONTFIX
Tracking Flags:
Tracking Status
firefox59 --- unaffected
firefox60 --- affected
firefox61 --- affected

People

(Reporter: robwu, Unassigned)

References

Details

(Keywords: regression)

An add-on cannot use XMLHttpRequest or fetch to read the content of domains such as addons.mozilla.org. It seems that the host permissions from manifest.json are ignored. According to the original report at https://github.com/Rob--W/crxviewer/issues/58, this regression is caused by https://hg.mozilla.org/integration/mozilla-inbound/rev/39e131181d44 (bug 1415644). Steps to reproduce: 1. Open the JS debugger for any extension page that supposedly has the permission to load addons.mozilla.org (e.g. extension tab or background page of an extension with "*://*/*" permissions). 2. Run the following code: var x = new XMLHttpRequest(); x.open('get', 'https://addons.mozilla.org/'); x.onloadend = function() { console.log(this.status); }; x.send(); Expected: 200 Actual : 0 warning: Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://addons.mozilla.org/. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
I can't see bug 1415644 but the restriction added there seems by design and not a bug. But I tried clearing the extensions.webextensions.restrictedDomains pref and the add-on still didn't work; this does seem a Firefox bug.
This is intentional.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
Why can an extension not send requests to AMO? It ought to be safe to send an anonymous request (XMLHttpRequest with mozAnan, or fetch with credentials:'omit') to AMO. Requests with credentials can potentially be too powerful. But if someone really wants to, they can work around the restriction by using the cookies API to read credentials and using a proxy (server) to send the request. Now, the only way to read data from AMO (regardless of credentials) is to use an external web server as a proxy. So the usability of the extension APIs is reduced, seemingly without offering any added value to security.
Product: Toolkit → WebExtensions
No longer blocks: 1664513
You need to log in before you can comment on or make changes to this bug.