Closed Bug 1455350 Opened 6 years ago Closed 6 years ago

Don't let malicious add-ons affect the add-ons manager

Categories

(WebExtensions :: Request Handling, defect, P2)

Product:
WebExtensions
Component:
Request Handling
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1299571

People

(Reporter: gingerbread_man, Unassigned)

References

Details

Add-ons are prevented from affecting Mozilla sites like addons.mozilla.org. They should also not be able to affect the Add-ons Manager. Bug 1454691 requested that but was quickly turned into a blocklisting bug. As you can see from bug 1454691, comment 2 there are numerous IDs for the add-on in question. It's a cinch to generate more and thus bypass blocklisting. By itself, it isn't an effective way to protect users.

Placing in Webextensions: Frontend because of the code used in the add-on, though this might belong in Add-ons Manager instead.
We shouldn't allow extensions to redirect away from about: pages. This doesn't provide a good user experience and could potentially allow for phishing.

Marking as P2 but we may want to get to this sooner.

In tabs.update [1] we check that the URL that is being redirected to is valid, but we should also apply some restrictions to the URL being redirected away from. I'm guessing there are more places we'll need this check than just update. webRequest most likely at least.

[1] https://searchfox.org/mozilla-central/rev/59a9a86553e9bfd9277202748ff791fd9bc0713b/browser/components/extensions/parent/ext-tabs.js#643
Status: UNCONFIRMED → NEW
Component: WebExtensions: Frontend → WebExtensions: Request Handling
Ever confirmed: true
Priority: -- → P2
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
See Also: → 1455360
I'm not sure we want to WONTFIX this. Add-ons won't be able to provide a replacement UI for about:addons or about:preferences. Why would we want them to prevent it? I'm not convinced "start in safe mode" is a solution someone with limited computer experience is going to come up with. "Switch to Chrome/Edge/Safari" seems much more likely.

Is there a compelling reason not to handle this case?
Flags: needinfo?(kmaglione+bmo)
The main issue is that it prevents tab extensions from handling those tabs. I suppose we could handle that case by only allowing those tabs to be modified from a user input handler.

Either way, though, that doesn't change the fact that this bug is a dup.
Flags: needinfo?(kmaglione+bmo)
Product: Toolkit → WebExtensions
You need to log in before you can comment on or make changes to this bug.